S0043: BUBBLEWRAP
BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. [1]
Analyst context for executives and security teams
BUBBLEWRAP matters because ATT&CK describes it as a Windows second-stage backdoor with boot-time persistence and plug-in capability. For leaders, the practical risk is not just one malware name; it is the possibility of a foothold that can survive reboot, communicate over web or other network protocols, collect system details, and expand capability through plug-ins. That makes it relevant to incident containment, endpoint visibility, and confidence that SOC monitoring can distinguish abnormal long-lived command-and-control from normal traffic.
Executive priority
Prioritize validation of endpoint persistence visibility and network egress monitoring for Windows systems, especially where business operations depend on rapid containment and audit-ready evidence. Because ATT&CK provides no official detection guidance for this object, leaders should ask whether teams can prove they collect the evidence needed to investigate boot-time execution, system discovery, and command-and-control behaviors rather than relying on malware-name detection alone.
Technical view
ATT&CK identifies BUBBLEWRAP as Windows malware used by admin@338 and maps it to Web Protocols, System Information Discovery, and Non-Application Layer Protocol command-and-control behavior. SOC and IR teams should validate coverage around Windows startup execution points, unusual or newly persistent binaries, host-based system information discovery activity, outbound web-like traffic inconsistent with the process or host role, and non-application-layer or otherwise atypical network communications. Because official detection text is not provided, detection engineering should be behavior-led and supported by local baselining.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows service, startup, scheduled task, registry run key, or other boot persistence evidence
- File creation and modification telemetry for newly introduced executables or plug-in-like components
- Network connection metadata including destination, protocol, port, timing, and process-to-network correlation
- Proxy, firewall, DNS, and web access logs for outbound command-and-control investigation
Detection direction
- Do not depend solely on a BUBBLEWRAP signature or malware family name; ATT&CK supplies no official detection logic for this object.
- Validate whether Windows boot-time persistence changes are logged and correlated to the responsible process, user context, and file path.
- Tune for suspicious outbound communications from unusual processes, rare destinations, or hosts that do not normally initiate comparable web or non-application-layer traffic.
- Baseline legitimate administrative inventory and system information collection to reduce false positives when detecting System Information Discovery behavior.
- Correlate persistence plus system discovery plus outbound network activity; each signal may be noisy alone but more meaningful together.
Mitigation priorities
- Harden Windows endpoint persistence locations through least privilege, application control where appropriate, and change monitoring for startup mechanisms.
- Restrict and monitor outbound egress so only expected systems, users, and applications can initiate required web and non-web communications.
- Maintain endpoint detection and response coverage on Windows systems that can support incident reconstruction across process, file, persistence, and network activity.
- Prepare IR playbooks for suspected second-stage backdoors, including isolation decisions, persistence removal validation, credential exposure assessment, and review of follow-on plug-in activity.
- Use threat intelligence context for admin@338 and the cited FireEye reporting to inform hunting priorities, while validating relevance against the local environment.
Analyst notes and limits
The key decision value is coverage validation: can the organization see a persistent Windows backdoor that performs discovery and communicates over common or lower-level network protocols? The relationship to admin@338 is useful for threat intelligence context, but defensive action should focus on the mapped behaviors and observable evidence rather than attribution alone.
The supplied ATT&CK object does not include official detection guidance, aliases, labels, or explicit tactics on the malware object itself. Relationship context supplies associated techniques and the admin@338 use relationship, but local telemetry, environment baselines, and incident evidence are required to assess exposure or detection coverage. No active exploitation or current targeting is asserted here.
BUBBLEWRAP
BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | BUBBLEWRAP can communicate using HTTP or HTTPS.CitationFireEye admin@338 |
| Enterprise | T1095 | Non-Application Layer Protocol | BUBBLEWRAP can communicate using SOCKS.CitationFireEye admin@338 |
| Enterprise | T1082 | System Information Discovery | BUBBLEWRAP collects system information, including the operating system version and hostname.CitationFireEye admin@338 |
Groups, software, and campaigns
G0018: admin@338
admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 2630c3cdb281… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye admin@338
FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
Open source URL -
[2]
mitre-attack S0043Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.