S0015: Ixeshe
Analyst context for executives and security teams
Ixeshe matters because ATT&CK documents it as a Windows malware family used since at least 2009, with relationships showing a post-compromise pattern of host discovery, local data collection, command-shell execution, web-based command and control, tool transfer, persistence via Run keys/startup folder, and stealth through hidden or deleted files. For leaders, the value is not a single malware name; it is a checklist for whether Windows endpoint, identity, network, and incident response evidence can reconstruct an intrusion that blends into normal administration and web traffic.
Executive priority
Prioritize validation of Windows endpoint logging, web egress visibility, and persistence monitoring. ATT&CK provides no official detection guidance for Ixeshe, so executives should ask whether current managed detection/SOC coverage maps to the related techniques rather than relying on malware-family signatures alone. The relationship to APT12 and the description of targeting in East Asia can support threat intelligence scoping, but local exposure and business relevance require environment-specific assessment.
Technical view
Treat Ixeshe coverage as behavior-driven validation on Windows. Confirm detections and response playbooks for Windows Command Shell execution, system/user/service/process/network/file discovery, local data access, Run key/startup folder persistence, hidden files/directories, file deletion, ingress tool transfer, standard encoding in C2, and HTTP/S-like web protocol communications. Because no ATT&CK detection text is supplied, coverage should be tested against the related techniques and correlated across endpoint process, registry, filesystem, and network telemetry.
Likely telemetry
- Windows process creation and command-line telemetry, especially cmd.exe and administrative discovery commands
- Windows registry monitoring for Run keys and startup-folder execution paths
- File creation, deletion, rename, attribute-change, and hidden-file telemetry
- Endpoint inventory and service/process discovery events
- Local file and directory access patterns that may indicate collection
Detection direction
- Map detections to the related ATT&CK techniques rather than to the malware name alone, because official detection guidance is not provided.
- Correlate discovery commands, unusual command-shell activity, file enumeration, and outbound web traffic from the same Windows host or user context.
- Tune for administrative false positives: many discovery behaviors overlap with IT operations, software management, troubleshooting, and inventory tooling.
- Validate visibility into persistence locations such as Registry Run keys and startup folders, including user-context persistence.
- Look for stealth indicators such as hidden files/directories and file deletion following tool execution or collection activity.
Mitigation priorities
- Harden Windows endpoint visibility first: process command lines, registry persistence locations, file activity, and endpoint containment procedures.
- Restrict and monitor unnecessary command-shell use where business workflows allow, especially on sensitive systems.
- Apply least privilege so user-context persistence and local data access have reduced business impact.
- Control web egress with proxy/DNS logging, allowlisting where feasible, and alerting on unusual outbound patterns from endpoints.
- Monitor and govern tool downloads and file transfers from external systems.
Analyst notes and limits
ATT&CK links Ixeshe to APT12 and lists multiple used techniques spanning discovery, collection, execution, command and control, persistence, and stealth. This take uses those relationships to frame defensive validation. It does not assert current activity, customer exposure, or confirmed detection capability.
The supplied ATT&CK object has no official detection text, no object-level tactics, no aliases, and only Windows as the malware platform. Several related technique platform lists are broader than Windows; defensive recommendations are therefore constrained to Windows where the malware object supports it and to general telemetry classes where relationships support the behavior.
Ixeshe
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | Ixeshe can list running processes.CitationTrend Micro IXESHE 2012 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Ixeshe uses HTTP for command and control.CitationMoran 2013CitationTrend Micro IXESHE 2012 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Ixeshe has a command to delete a file from the machine.CitationTrend Micro IXESHE 2012 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Ixeshe can achieve persistence by adding itself to the |
| Enterprise | T1082 | System Information Discovery | Ixeshe collects the computer name of the victim's system during the initial infection.CitationTrend Micro IXESHE 2012 |
| Enterprise | T1016 | System Network Configuration Discovery | Ixeshe enumerates the IP address, network proxy settings, and domain name from a victim's system.CitationTrend Micro IXESHE 2012 |
| Enterprise | T1105 | Ingress Tool Transfer | Ixeshe can download and execute additional files.CitationTrend Micro IXESHE 2012 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Ixeshe sets its own executable file's attributes to hidden.CitationTrend Micro IXESHE 2012 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Ixeshe uses custom Base64 encoding schemes to obfuscate command and control traffic in the message body of HTTP requests.CitationMoran 2013CitationTrend Micro IXESHE 2012 |
| Enterprise | T1083 | File and Directory Discovery | Ixeshe can list file and directory information.CitationTrend Micro IXESHE 2012 |
| Enterprise | T1007 | System Service Discovery | Ixeshe can list running services.CitationTrend Micro IXESHE 2012 |
| Enterprise | T1005 | Data from Local System | Ixeshe can collect data from a local system.CitationTrend Micro IXESHE 2012 |
| Enterprise | T1033 | System Owner/User Discovery | Ixeshe collects the username from the victim’s machine.CitationTrend Micro IXESHE 2012 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe.CitationTrend Micro IXESHE 2012 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique |
Groups, software, and campaigns
G0005: APT12
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 686c02d0390e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Moran 2013
Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 17, 2024.
Open source URL -
[2]
mitre-attack S0015Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.