S0042: LOWBALL
Analyst context for executives and security teams
LOWBALL matters because ATT&CK ties it to Windows malware delivered in email messages and to command-and-control behaviors that can blend into normal web and legitimate web-service traffic. For leaders, the practical issue is not just this specific 2015 malware name; it is whether the organization can recognize suspicious email-originated Windows compromise when follow-on activity uses common web channels and file transfer patterns that may look routine.
Executive priority
Prioritize validation of email security, Windows endpoint visibility, and outbound web-service monitoring where business disruption or sensitive communications would be material. The ATT&CK record links LOWBALL to targeting of Hong Kong-based media organizations and to admin@338, but it does not establish current exposure or active exploitation. Executives should ask whether SOC and IR teams can produce evidence for suspicious inbound email, unusual outbound web communications, use of legitimate external web services for bidirectional communication, and ingress tool transfer during an investigation.
Technical view
ATT&CK provides no official detection text for LOWBALL, so defenders should validate coverage through the related techniques: T1071.001 Web Protocols, T1102.002 Bidirectional Communication, and T1105 Ingress Tool Transfer. For Windows systems, test whether investigations can connect an email-delivered suspicious file or process to outbound HTTP/S or web-service traffic, then to downloaded tools or files. Detection engineering should avoid malware-name-only logic and instead focus on behavior: unusual Windows process-to-network relationships, uncommon external web destinations, suspicious use of legitimate web services, and file downloads that occur in the context of suspected command-and-control activity.
Likely telemetry
- Email gateway and mailbox telemetry for suspicious messages, attachments, links, and delivery context
- Windows endpoint process, file, and parent-child execution telemetry
- Endpoint network connection telemetry showing process-to-destination relationships
- Proxy, web gateway, DNS, and firewall logs for outbound web protocol activity
- Logs or metadata for access to legitimate external web services, where available and permitted
Detection direction
- Validate that web protocol monitoring can distinguish routine browsing from unusual process-initiated outbound communication on Windows endpoints.
- Tune detections for suspicious bidirectional communication with legitimate external web services, recognizing that business use of popular services can create false positives.
- Correlate suspected email delivery with subsequent Windows execution, outbound web traffic, and new file creation or downloads rather than relying on a single indicator.
- Review whether proxy, DNS, firewall, and endpoint logs retain enough history to reconstruct command-and-control and ingress transfer timelines.
- Account for the ATT&CK limitation that no LOWBALL-specific detection guidance is provided; local baselines and environment-specific allowlists are required.
Mitigation priorities
- Strengthen email filtering, attachment/link controls, and user reporting workflows for suspicious messages.
- Ensure Windows endpoint protection and logging are configured to capture process, file, and network activity needed for IR reconstruction.
- Apply least-privilege and application control where feasible to limit execution and follow-on tool transfer from compromised hosts.
- Review outbound web access controls and monitoring for legitimate external web services that could be abused for command-and-control.
- Maintain incident response playbooks that connect phishing triage, endpoint containment, network investigation, and evidence preservation.
Analyst notes and limits
The supplied ATT&CK object is sparse: LOWBALL has a Windows platform and a historical description, but no tactics field and no official detection section. The most useful defensive context comes from relationships to command-and-control techniques and the external reference describing Dropbox-based malware communications. Treat this as a behavior-driven validation item rather than a standalone malware signature exercise.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not assert current LOWBALL activity, customer exposure, guaranteed detection, or attribution beyond the provided admin@338 relationship. Local telemetry, asset exposure, email records, and web-service usage are required to determine relevance in a specific environment.
LOWBALL
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | LOWBALL command and control occurs via HTTPS over port 443.CitationFireEye admin@338 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | LOWBALL uses the Dropbox cloud storage service for command and control.CitationFireEye admin@338 |
Groups, software, and campaigns
G0018: admin@338
admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 7ac44e517afa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye admin@338
FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
Open source URL -
[2]
mitre-attack S0042Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.