G0018: admin@338
admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. [1]
Analyst context for executives and security teams
admin@338 matters because the ATT&CK record links the group to targeted lure-based delivery, public RAT use such as PoisonIvy, non-public backdoors, and post-compromise discovery activity. For leaders, the decision value is whether the organization can prove it would see a targeted email leading to Windows command execution, RAT/backdoor persistence or communications, and rapid host/network/account discovery before follow-on activity expands.
Executive priority
Prioritize this as a targeted-intrusion readiness scenario rather than a single malware problem. Organizations involved in financial, economic, trade policy, media, or similarly sensitive decision-making should use it to test email security, endpoint visibility, Windows administrative command monitoring, incident response triage, and evidence needed for audit or regulatory reporting. The key business question is: can security teams connect a suspicious attachment or exploit event to host discovery, account/group enumeration, network reconnaissance, and possible backdoor activity quickly enough to contain affected systems?
Technical view
ATT&CK provides no official detection text and no platform list for the intrusion-set object itself, but relationships show use of Windows-oriented software and utilities including PoisonIvy, LOWBALL, BUBBLEWRAP, Net, Systeminfo, ipconfig, and netstat. Validation should focus on the related techniques: spearphishing attachment and malicious file execution, client-side exploitation, Windows command shell use, local account and group discovery, service discovery, system information discovery, file and directory discovery, and network configuration/connection discovery. SOC teams should test whether endpoint, email, and network telemetry can correlate these behaviors into a single intrusion storyline instead of treating each command as benign administration.
Likely telemetry
- Email security logs for targeted messages, attachments, attachment detonation results, and user interaction indicators
- Endpoint process creation telemetry for cmd.exe and Windows utilities such as net, systeminfo, ipconfig, and netstat
- Command-line arguments and parent/child process relationships around document readers, archive tools, shells, and administrative utilities
- Endpoint file, registry, and startup/persistence evidence relevant to backdoors that run at boot
- Network connection metadata from endpoints, including unusual outbound RAT or backdoor communications where locally observable
Detection direction
- Validate correlation logic for phishing attachment or malicious-file execution followed by command shell activity and discovery commands.
- Tune for suspicious clustering of discovery commands rather than alerting on single utilities alone, since Net, ipconfig, systeminfo, and netstat are legitimate administrative tools.
- Review allowlists and suppression rules for common admin commands; excessive suppression can hide post-compromise discovery.
- Hunt for host discovery followed by backdoor-like persistence or outbound communications, using the related software context for PoisonIvy, LOWBALL, and BUBBLEWRAP without assuming every environment has those specific samples.
- Confirm detections retain command-line, parent process, user context, hostname, and network destination details needed for incident reconstruction.
Mitigation priorities
- Strengthen email attachment controls, sandboxing, and user-reporting workflows for targeted lure scenarios.
- Maintain timely patching of client applications to reduce exposure to exploitation for client execution.
- Harden endpoint execution controls and monitor suspicious child processes from document or attachment-handling applications.
- Limit and monitor local administrative privileges so account and group discovery does not easily lead to privilege escalation or lateral movement decisions.
- Ensure EDR, email, and network logging are retained long enough to reconstruct an intrusion from initial delivery through discovery and backdoor activity.
Analyst notes and limits
This take is based on the ATT&CK v19.1 intrusion-set record for admin@338 and its supplied relationships. The group description cites use of newsworthy lures, targeting of financial/economic/trade policy organizations, public RATs such as PoisonIvy, and non-public backdoors. Relationship context adds LOWBALL, BUBBLEWRAP, Windows utilities, and discovery/execution/initial-access techniques that are useful for defensive validation.
The intrusion-set object has no official detection text, no tactics listed directly on the object, and no platform list for the group itself. Related software and techniques provide useful context, but local telemetry, control configuration, and current threat intelligence are required before assessing exposure or detection coverage. This summary does not claim current activity or confirmed targeting of any specific organization.
admin@338
admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | admin@338 has sent emails with malicious Microsoft Office documents attached.CitationFireEye admin@338 |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | admin@338 actors used the following command to rename one of their tools to a benign file name: |
| Enterprise | T1083 | File and Directory Discovery | admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: |
| Enterprise | T1069.001 | Local Groups Sub-technique | |
| Enterprise | T1049 | System Network Connections Discovery | |
| Enterprise | T1087.001 | Local Account Sub-technique | |
| Enterprise | T1203 | Exploitation for Client Execution | admin@338 has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158.CitationFireEye admin@338 |
| Enterprise | T1007 | System Service Discovery | |
| Enterprise | T1204.002 | Malicious File Sub-technique | admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails.CitationFireEye admin@338 |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique |
Groups, software, and campaigns
S0043: BUBBLEWRAP
BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. [1]
S0042: LOWBALL
S0096: Systeminfo
Systeminfo is a Windows utility that can be used to gather detailed information about a computer. [1]
S0012: PoisonIvy
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0104: netstat
S0100: ipconfig
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 895fbb5d4a44… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye admin@338
FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
Open source URL -
[2]
admin@338
(Citation: FireEye admin@338)
-
[3]
mitre-attack G0018Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.