G0068: PLATINUM
Analyst context for executives and security teams
PLATINUM matters because ATT&CK links the group to long-running, targeted activity against government and related organizations in South and Southeast Asia, with associated Windows backdoors and behaviors that emphasize initial access, credential capture, stealth, privilege escalation, and command-and-control. For leaders, the decision value is not to assume exposure everywhere, but to validate whether high-value users, government-facing programs, regional operations, and Windows endpoint estates have evidence-quality controls for phishing, drive-by exposure, credential theft, and backdoor activity.
Executive priority
Prioritize this object where the organization has South or Southeast Asia government relationships, regional operations, sensitive public-sector data, or Windows-heavy environments supporting critical business functions. Ask whether the SOC can prove coverage for credential access against LSASS, keylogging/API credential capture, suspicious tool transfer, masquerading, process injection, and non-standard network communications. This is also useful for audit and resilience discussions because the ATT&CK relationships map to control areas such as email security, endpoint logging, privileged access hardening, vulnerability management, and incident response evidence preservation.
Technical view
ATT&CK does not provide group-level detection text or platforms for PLATINUM, so defenders should validate coverage through the related software and techniques. Relationships identify Dipsind, JPIN, and adbupd as Windows backdoors associated with PLATINUM, and techniques include spearphishing attachment, malicious file execution, drive-by compromise, LSASS memory access, keylogging, credential API hooking, process injection, masquerading, exploitation for privilege escalation, ingress tool transfer, and non-application-layer command-and-control. SOC and IR teams should test whether endpoint, identity, email, web, and network telemetry can connect an initial access event to follow-on credential access, stealth, tool transfer, and C2 indicators without relying on a single alert type.
Likely telemetry
- Email security logs for targeted attachments and user delivery context
- Endpoint process creation, module load, memory access, and injection-related telemetry
- Windows security events and endpoint alerts relevant to LSASS access and privileged process activity
- File creation, rename, path, metadata, and execution records for masquerading and malicious files
- Browser, proxy, DNS, and web gateway logs for drive-by compromise investigation
Detection direction
- Do not treat the group name alone as a detection strategy; validate detections against the related behaviors and software relationships.
- Tune for sequences: suspicious attachment or drive-by exposure followed by malicious file execution, tool transfer, credential access, process injection, masquerading, or unusual C2.
- For LSASS memory access, distinguish legitimate administrative/security tooling from unexpected access by unusual processes, recently dropped binaries, or user-writable paths.
- For keylogging and credential API hooking, confirm endpoint telemetry is capable of seeing suspicious hooks, input capture behavior, or related malware detections; these behaviors may be low-noise but also telemetry-dependent.
- For masquerading, compare process names, paths, signatures, parent-child relationships, and expected administrative patterns rather than matching names only.
Mitigation priorities
- Harden initial access first: email attachment controls, user execution safeguards, browser/web controls, and security awareness for targeted malicious files.
- Reduce credential theft impact through privileged access minimization, LSASS protection where appropriate, credential hygiene, and monitoring of high-value accounts.
- Maintain vulnerability management for operating systems and exposed software because ATT&CK links the group to exploitation for privilege escalation.
- Strengthen endpoint prevention and visibility for process injection, suspicious memory access, masquerading, and unauthorized tool transfer.
- Limit and monitor outbound communications, especially unusual protocols or destinations, and ensure network telemetry supports incident reconstruction.
Analyst notes and limits
The supplied ATT&CK object identifies PLATINUM as an activity group active since at least 2009 and focused on governments and related organizations in South and Southeast Asia, citing Microsoft’s April 2016 report. The strongest relationship-driven context is the use of three Windows backdoor families and multiple techniques spanning initial access, execution, credential access, stealth, privilege escalation, and command-and-control. Use this object primarily to guide defensive validation and intelligence-led hunting, not as a standalone basis for attribution.
Official group-level detection, tactics, and platforms are not provided. Related software platforms point to Windows, while related techniques include several multi-platform entries; therefore local platform relevance must be determined from the environment. The supplied fields do not support claims of current activity, active exploitation, customer exposure, or guaranteed detection coverage.
PLATINUM
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1189 | Drive-by Compromise | PLATINUM has sometimes used drive-by attacks against vulnerable browser plugins.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1105 | Ingress Tool Transfer | PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.CitationMicrosoft PLATINUM June 2017 |
| Enterprise | T1204.002 | Malicious File Sub-technique | PLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | PLATINUM has leveraged a zero-day vulnerability to escalate privileges.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1056.004 | Credential API Hooking Sub-technique | PLATINUM is capable of using Windows hook interfaces for information gathering such as credential access.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1056.001 | Keylogging Sub-technique | PLATINUM has used several different keyloggers.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | PLATINUM has used keyloggers that are also capable of dumping credentials.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1095 | Non-Application Layer Protocol | PLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.CitationMicrosoft PLATINUM June 2017 |
| Enterprise | T1055 | Process Injection | PLATINUM has used various methods of process injection including hot patching.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | PLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1036 | Masquerading | PLATINUM has renamed rar.exe to avoid detection.CitationTwitter ItsReallyNick Platinum Masquerade |
Groups, software, and campaigns
S0201: JPIN
S0200: Dipsind
S0202: adbupd
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 73adbb21b1f5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft PLATINUM April 2016
Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
Open source URL -
[2]
PLATINUM
(Citation: Microsoft PLATINUM April 2016)
-
[3]
mitre-attack G0068Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.