S0023: CHOPSTICK
CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [1] [2] [3] [4] It is tracked separately from the X-Agent for Android.
Analyst context for executives and security teams
CHOPSTICK is a modular backdoor family associated in ATT&CK with APT28 and documented for Windows and Linux. Its decision value is that it represents post-compromise access with multiple ways to communicate, discover the environment, collect user data, and adapt around defenses. For leaders, this is less about one malware name and more about whether the organization can prove it would notice a cross-platform backdoor using ordinary-looking web, mail, encrypted, fallback, proxy, or removable-media channels.
Executive priority
Prioritize CHOPSTICK-relevant readiness where Windows/Linux endpoints, sensitive user workstations, disconnected environments, or regulated evidence requirements matter. The relationships show behaviors that can affect incident scope decisions: command-and-control resilience, credential collection through keylogging, screen capture, registry changes, removable media movement, tool transfer, and security software discovery. Executives should ask whether SOC coverage is based only on known indicators or whether it also validates the underlying behaviors across endpoint, DNS, proxy, mail, removable media, and registry telemetry.
Technical view
ATT&CK does not provide a detection section for CHOPSTICK, so defenders should validate coverage through its linked techniques rather than rely on a single signature. On Windows, focus on registry query/modify activity, removable media execution or file movement, command interpreter use, screen/keylogging-related host behavior, and security tooling discovery. On Linux, validate visibility into command execution, file and directory discovery, volatile or shared-memory storage locations, web/mail-based C2, encrypted C2, DGA-like DNS behavior, internal proxying, and removable-media communication. Because the object is described as a modular backdoor and often second-stage malware, IR teams should treat a confirmed finding as a prompt to search for initial access, staging, transferred tools, persistence, credential exposure, and alternate C2 paths.
Likely telemetry
- Endpoint process creation and command-line telemetry on Windows and Linux
- Windows Registry query and modification events
- File system and directory enumeration activity
- Removable media insertion, autorun, file copy, and execution events
- DNS query logs suitable for identifying unusual or algorithmically generated domains
Detection direction
- Map detections to the related ATT&CK techniques, especially fallback channels, web/mail protocols, DGA, encrypted C2, internal proxy, ingress tool transfer, registry activity, discovery, removable media, keylogging, and screen capture.
- Do not depend solely on malware names, hashes, or static indicators; the supplied ATT&CK object provides no official detection logic and CHOPSTICK is described as modular.
- Tune for combinations of behaviors: discovery followed by tool transfer, registry modification, unusual outbound communications, or removable-media activity is more decision-useful than isolated command execution.
- Account for false positives from administrators, software deployment tools, backup agents, helpdesk remote support, and legitimate security tooling discovery.
- Validate Linux visibility separately from Windows visibility; the object explicitly has both variants, and many organizations have weaker Linux endpoint telemetry.
Mitigation priorities
- Establish baseline endpoint telemetry across Windows and Linux before relying on behavioral detections.
- Restrict and monitor removable media use, especially for sensitive or disconnected environments.
- Harden registry permissions and monitor high-risk registry changes on Windows systems.
- Enforce least privilege and administrative control review to reduce the impact of registry modification, tool transfer, and persistence-related behaviors.
- Strengthen egress governance: proxy enforcement, DNS monitoring, and review of unusual web, mail, encrypted, fallback, or proxy-like channels.
Analyst notes and limits
The most useful defensive framing comes from the relationship set: CHOPSTICK uses techniques spanning command-and-control, discovery, collection, credential access, persistence/defense impairment, lateral movement, initial access, stealth, and execution. The object is related to APT28 in ATT&CK, but local incident handling should not assume attribution from malware name alone. Treat the name as a trigger for behavior-based scoping and evidence preservation.
ATT&CK provides no official detection text for this object, and the malware object itself lists tactics as not specified. The assessment is therefore derived from the supplied description, platforms, external references, and relationships. Local baselines, sensor coverage, logging policy, and environment-specific allowlists are required before judging exposure or detection confidence.
CHOPSTICK
CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [1] [2] [3] [4] It is tracked separately from the X-Agent for Android.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1008 | Fallback Channels | CHOPSTICK can switch to a new C2 channel if the current one is broken.CitationESET Sednit Part 2 |
| Enterprise | T1092 | Communication Through Removable Media | |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | CHOPSTICK used a proxy server between victims and the C2 server.CitationESET Sednit Part 2 |
| Enterprise | T1059 | Command and Scripting Interpreter | CHOPSTICK is capable of performing remote command execution.CitationCrowdstrike DNC June 2016CitationESET Sednit Part 2 |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.CitationESET Sednit Part 2 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Various implementations of CHOPSTICK communicate with C2 over HTTP.CitationESET Sednit Part 2 |
| Enterprise | T1112 | Modify Registry | CHOPSTICK may modify Registry keys to store RC4 encrypted configuration information.CitationFireEye APT28 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it.CitationFireEye APT28 |
| Enterprise | T1113 | Screen Capture | CHOPSTICK has the capability to capture screenshots.CitationDOJ GRU Indictment Jul 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | CHOPSTICK is capable of performing remote file transmission.CitationCrowdstrike DNC June 2016 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | CHOPSTICK checks for antivirus and forensics software.CitationFireEye APT28 |
| Enterprise | T1083 | File and Directory Discovery | An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.CitationESET Sednit Part 2 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.CitationFireEye APT28 |
| Enterprise | T1056.001 | Keylogging Sub-technique | CHOPSTICK is capable of performing keylogging.CitationCrowdstrike DNC June 2016CitationESET Sednit Part 2CitationDOJ GRU Indictment Jul 2018 |
| Enterprise | T1091 | Replication Through Removable Media | |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.CitationESET Sednit 2017 Activity |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | CHOPSTICK encrypts C2 communications with RC4.CitationESET Sednit Part 2 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | CHOPSTICK encrypts C2 communications with TLS.CitationESET Sednit Part 2 |
| Enterprise | T1012 | Query Registry | CHOPSTICK provides access to the Windows Registry, which can be used to gather information.CitationFireEye APT28 |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.3 | Current bundle | cf98a4d31aaa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT28
FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
Open source URL -
[2]
ESET Sednit Part 2
ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
Open source URL -
[3]
FireEye APT28 January 2017
FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024.
Open source URL -
[4]
DOJ GRU Indictment Jul 2018
Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.
Open source URL -
[5]
Backdoor.SofacyX
(Citation: Symantec APT28 Oct 2018)
-
[6]
CHOPSTICK
(Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017)
-
[7]
SPLM
(Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017)
-
[8]
Symantec APT28 Oct 2018
Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
Open source URL -
[9]
X-Agent
(Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017)
-
[10]
Xagent
(Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017)
-
[11]
mitre-attack S0023Open source URL
-
[12]
webhp
(Citation: FireEye APT28 January 2017)
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.