Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0026: GLOOXMAIL

GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic. [1]

EnterpriseS0026MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

GLOOXMAIL matters because it represents malware designed to make command-and-control activity look like legitimate Jabber/XMPP-style communications. For leaders, the key issue is not the malware name alone, but whether the organization can distinguish approved publish/subscribe or web-service communications from suspicious external control channels on Windows systems.

Executive priority

Prioritize this as a validation point for command-and-control visibility and egress governance. If Jabber/XMPP, publish/subscribe protocols, or external web services are allowed without clear business ownership, SOC and incident response teams may have limited evidence to separate normal collaboration/application traffic from malware communications. This is especially relevant for compliance evidence around network monitoring, endpoint visibility, and incident response readiness.

Technical view

ATT&CK lists GLOOXMAIL as Windows malware used by APT1 and describes it as mimicking legitimate Jabber/XMPP traffic. Relationship context links it to command-and-control via Publish/Subscribe Protocols (T1071.005) and Bidirectional Communication (T1102.002). SOC teams should validate whether Windows endpoint telemetry can be correlated with DNS, proxy, firewall, and protocol-aware network records to identify unusual XMPP/pub-sub or web-service communication patterns. Because no official ATT&CK detection guidance is provided for this object, detection engineering should focus on the related C2 techniques rather than malware-specific signatures alone.

Likely telemetry

  • Windows endpoint process execution and network connection telemetry
  • DNS query and resolution logs for external communication destinations
  • Proxy, firewall, and network flow records showing outbound connections
  • Protocol-aware logs or metadata for Jabber/XMPP or other publish/subscribe protocols where available
  • Web service access telemetry relevant to bidirectional command-and-control patterns

Detection direction

  • Inventory whether Jabber/XMPP or other publish/subscribe protocols are expected in the environment; unknown or unmanaged use should be investigated before writing high-noise alerts.
  • Correlate Windows processes with outbound pub/sub or web-service traffic instead of relying only on destination or port indicators.
  • Tune detections for unusual external bidirectional communication patterns, especially where traffic resembles approved services but originates from unexpected hosts or processes.
  • Account for false positives from legitimate collaboration, messaging, middleware, or application integrations using XMPP or similar protocols.
  • Use the relationship to APT1 as threat-intelligence context, not as proof of current attribution in any local incident.

Mitigation priorities

  • Establish business ownership and allowlisting expectations for approved Jabber/XMPP, publish/subscribe, and external web-service communications.
  • Apply egress controls and monitoring so Windows hosts cannot freely initiate unmanaged external C2-like channels.
  • Ensure endpoint and network telemetry retention supports incident response reconstruction of process-to-destination activity.
  • Review incident response playbooks for malware communicating through legitimate-looking protocols and web services.
  • Where unsupported or unnecessary, restrict publish/subscribe protocol use and document exceptions for audit readiness.
Analyst notes and limits

The supplied ATT&CK object is sparse: it identifies GLOOXMAIL as malware used by APT1, notes Windows as the platform, and states that it mimics legitimate Jabber/XMPP traffic. The most actionable defensive context comes from the relationships to T1071.005 and T1102.002, both command-and-control behaviors.

Official ATT&CK detection guidance is not provided for GLOOXMAIL, and no active exploitation, current targeting, aliases, tactics on the malware object, or detailed procedures are supplied. Local environment baselines are required to determine whether XMPP, publish/subscribe protocols, or external web-service communications are normal or suspicious.

Official MITRE ATT&CK definition

GLOOXMAIL

GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1071.005 Publish/Subscribe Protocols Sub-technique

GLOOXMAIL communicates to servers operated by Google using the Jabber/XMPP protocol for C2.CitationMandiant APT1 Appendix
Enterprise T1102.002 Bidirectional Communication Sub-technique

GLOOXMAIL communicates to servers operated by Google using the Jabber/XMPP protocol.CitationMandiant APT1CitationCyberESI GTALK
Associated objects

Groups, software, and campaigns

Group Enterprise

G0006: APT1

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. [1]

Relationship explorer

All related ATT&CK context

uses · Group G0006: APT1 Enterprise uses · Technique T1071.005: Publish/Subscribe Protocols Enterprise uses · Technique T1102.002: Bidirectional Communication Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
d21b44ccd44b2d17...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle d21b44ccd44b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Mandiant APT1

    Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.

    Open source URL
  2. [2]
    mitre-attack S0026
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use