Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0003: RIPTIDE

RIPTIDE is a proxy-aware backdoor used by APT12. [1]

EnterpriseS0003MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

RIPTIDE matters because it is a Windows, proxy-aware backdoor associated in ATT&CK with APT12 and with command-and-control over web protocols using symmetric cryptography. For leaders, the practical issue is not the malware name itself, but whether normal-looking web/proxy traffic from Windows systems can hide unauthorized remote control and whether the organization can prove it has enough endpoint, proxy, DNS, and network evidence to investigate it.

Executive priority

Prioritize validation of outbound web egress visibility, proxy logging, and Windows endpoint investigation readiness. This object is especially relevant to business continuity and incident response decision-making because encrypted or web-like command-and-control can delay containment if SOC teams cannot distinguish legitimate proxy-mediated traffic from suspicious beaconing. It also supports audit and compliance conversations around logging sufficiency, egress control, and evidence retention.

Technical view

ATT&CK provides no object-specific detection text, so teams should build coverage from the supplied relationships: RIPTIDE is a Windows backdoor that uses Web Protocols for command-and-control and Symmetric Cryptography to conceal C2 content. SOC and IR teams should validate whether Windows endpoint telemetry can be correlated with proxy, web, DNS, and network metadata to identify unusual outbound destinations, abnormal user-agent or request patterns, recurring beacon-like connections, encrypted payload patterns outside expected application behavior, and processes making unexpected web connections through enterprise proxies.

Likely telemetry

  • Windows endpoint process execution and network connection telemetry
  • Proxy and secure web gateway logs
  • Firewall and outbound egress logs
  • DNS query and response logs
  • HTTP/HTTPS metadata such as destination, method, host, URI path, user-agent, status code, byte counts, and timing where available

Detection direction

  • Confirm that Windows hosts using enterprise proxies are not a blind spot; proxy-aware malware may appear as permitted web traffic rather than direct outbound connections.
  • Tune for correlation, not single indicators: suspicious process-to-destination relationships, repetitive timing, rare external hosts, unusual proxy authentication context, and web traffic inconsistent with the initiating process can be more useful than content inspection alone.
  • Account for false positives from legitimate software updaters, browsers, collaboration tools, and security agents that also generate frequent web traffic.
  • Because symmetric cryptography may conceal command content, emphasize metadata, destination reputation/context, endpoint process lineage, and deviations from normal egress behavior.
  • Use the APT12 relationship as threat-intelligence context for prioritization, but do not treat it as proof of attribution without local evidence.

Mitigation priorities

  • Establish and enforce outbound egress controls for Windows systems, including proxy use, destination allow/deny policies, and monitoring of unusual external communications.
  • Ensure proxy, DNS, firewall, and endpoint telemetry are retained long enough to support incident response reconstruction.
  • Harden Windows endpoints with least privilege, application control where feasible, and response processes for isolating hosts suspected of backdoor activity.
  • Validate SOC playbooks for encrypted or web-protocol command-and-control where payload visibility is limited.
  • Use threat-informed testing to confirm analysts can pivot from suspicious web traffic to host process evidence and containment decisions.
Analyst notes and limits

The supplied ATT&CK record is sparse: RIPTIDE is described as a proxy-aware backdoor used by APT12, with relationships to Web Protocols and Symmetric Cryptography for command-and-control. The strongest defensive value is validating visibility across Windows endpoints and web egress infrastructure, especially where proxies and encryption can normalize malicious traffic.

No official ATT&CK detection guidance, aliases, labels, or tactics are provided directly on the malware object. The command-and-control framing comes from the supplied technique relationships. Local environment baselines, approved proxy behavior, and endpoint telemetry quality are required before making detection or exposure claims.

Official MITRE ATT&CK definition

RIPTIDE

RIPTIDE is a proxy-aware backdoor used by APT12. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1071.001 Web Protocols Sub-technique

APT12 has used RIPTIDE, a RAT that uses HTTP to communicate.CitationMoran 2014
Enterprise T1573.001 Symmetric Cryptography Sub-technique

APT12 has used the RIPTIDE RAT, which communicates over HTTP with a payload encrypted with RC4.CitationMoran 2014
Associated objects

Groups, software, and campaigns

Group Enterprise

G0005: APT12

APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.[1]

Relationship explorer

All related ATT&CK context

uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Group G0005: APT12 Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
a0b2fa4326627e10...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle a0b2fa432662…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Moran 2014

    Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.

    Open source URL
  2. [2]
    mitre-attack S0003
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use