S0044: JHUHUGIT
Analyst context for executives and security teams
JHUHUGIT matters because ATT&CK describes it as Windows reconnaissance malware used by APT28 and based on Carberp source code. For leaders, the practical issue is not the malware name itself but the behaviors tied to it: discovery, persistence, command-and-control, collection, stealth, and privilege-escalation techniques that can turn an initial Windows compromise into durable access and operational intelligence gathering.
Executive priority
Prioritize this as a coverage-validation case for Windows endpoint visibility, egress monitoring, and persistence control evidence. Because ATT&CK provides no official detection guidance for JHUHUGIT, executives should ask whether SOC, IR, and audit teams can prove coverage for the related behaviors: scheduled tasks, services, Run keys, logon scripts, COM hijacking, rundll32 abuse, process injection, web-based C2, fallback channels, encoded traffic, tool transfer, screen capture, clipboard collection, and host/network discovery. The business decision value is determining whether existing controls can detect reconnaissance and persistence before follow-on activity creates larger continuity, confidentiality, or incident-response costs.
Technical view
Treat JHUHUGIT as a Windows malware behavior cluster rather than a single signature problem. ATT&CK relationships associate it with discovery techniques such as System Network Configuration Discovery, Process Discovery, and Local Storage Discovery; persistence and privilege-escalation paths such as Windows logon scripts, scheduled tasks, Windows services, COM hijacking, Run keys/startup folders, process injection, and exploitation for privilege escalation; command-and-control via web protocols, fallback channels, ingress tool transfer, and standard encoding; collection through screen capture and clipboard data; and stealth through encrypted or encoded files, file deletion, rundll32 proxy execution, and process injection. SOC teams should validate that endpoint, registry, process, task/service, and network telemetry can connect these events into an intrusion narrative, not just alert on isolated commands.
Likely telemetry
- Windows process creation and command-line telemetry, including cmd.exe and rundll32.exe activity
- Windows registry change telemetry for Run keys, logon script locations, service configuration, and COM-related keys
- Scheduled task creation, modification, and execution events
- Windows service creation or modification events
- Endpoint detection telemetry for process injection indicators and suspicious parent-child process relationships
Detection direction
- Because ATT&CK provides no official detection text for JHUHUGIT, validate behavior-based detections mapped to the related techniques rather than relying on malware naming alone.
- Tune Windows persistence analytics for scheduled tasks, services, Run keys/startup folders, logon scripts, and COM hijacking, with baselines for legitimate administration and software deployment to reduce false positives.
- Correlate discovery activity with subsequent persistence, C2, or collection events; standalone ipconfig-like or process-listing behavior is common, but clustering with suspicious execution or outbound traffic increases decision value.
- Review rundll32.exe and cmd.exe detections for context: unusual DLL paths, unexpected command-line patterns, nonstandard parent processes, and execution tied to newly created persistence entries.
- Monitor web-protocol outbound traffic and encoded content indicators, but avoid assuming all encoded web traffic is malicious; use destination reputation, process lineage, timing, and related host events for triage.
Mitigation priorities
- Start with Windows endpoint hardening and visibility: ensure reliable logging for process execution, registry changes, scheduled tasks, services, file activity, and network connections.
- Reduce persistence opportunities through least privilege, controlled administrative rights, and change monitoring on startup locations, services, scheduled tasks, logon scripts, and COM configuration.
- Limit unnecessary outbound web access from endpoints and ensure proxy/DNS/web logs can support investigation of C2 over common protocols and fallback channels.
- Maintain vulnerability management discipline for Windows systems and key applications to reduce privilege-escalation opportunities referenced by the related techniques.
- Use application control or execution control where appropriate to constrain untrusted scripts, DLL execution paths, and suspicious proxy execution patterns such as rundll32 abuse.
Analyst notes and limits
The strongest supported facts are that JHUHUGIT is Windows malware, described by ATT&CK as reconnaissance malware based on Carberp source code, and used by APT28. The practical Glexia view is driven by the ATT&CK relationships to techniques across discovery, persistence, privilege escalation, command-and-control, collection, and stealth. This should be used as a defensive validation profile for Windows environments rather than as a claim of current activity in any specific organization.
ATT&CK supplies no official detection guidance, no aliases in the object fields, and no object-level tactics. The relationship set provides technique context, but local applicability depends on actual Windows estate design, logging coverage, endpoint controls, egress architecture, and retained forensic evidence. This take does not assert active exploitation, customer exposure, or guaranteed detection.
JHUHUGIT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1113 | Screen Capture | A JHUHUGIT variant takes screenshots by simulating the user pressing the "Take Screenshot" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image.CitationUnit 42 Playbook Dec 2017CitationTalos Seduploader Oct 2017 |
| Enterprise | T1008 | Fallback Channels | JHUHUGIT tests if it can reach its C2 server by first attempting a direct connection, and if it fails, obtaining proxy settings and sending the connection through a proxy, and finally injecting code into a running browser if the proxy method fails.CitationESET Sednit Part 1 |
| Enterprise | T1057 | Process Discovery | JHUHUGIT obtains a list of running processes on the victim.CitationESET Sednit Part 1CitationUnit 42 Sofacy Feb 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | A JHUHUGIT variant gathers network interface card information.CitationUnit 42 Playbook Dec 2017 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.CitationESET Sednit Part 1CitationESET Sednit July 2015 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | A JHUHUGIT variant encodes C2 POST data base64.CitationUnit 42 Playbook Dec 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | JHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS.CitationESET Sednit Part 1CitationUnit 42 Sofacy Feb 2018CitationUnit 42 Playbook Dec 2017 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.CitationESET Sednit Part 1 |
| Enterprise | T1037.001 | Logon Script (Windows) Sub-technique | JHUHUGIT has registered a Windows shell script under the Registry key |
| Enterprise | T1115 | Clipboard Data | A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.CitationUnit 42 Playbook Dec 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | JHUHUGIT uses a .bat file to execute a .dll.CitationTalos Seduploader Oct 2017 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | JHUHUGIT has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges.CitationESET Sednit Part 1CitationESET Sednit July 2015 |
| Enterprise | T1546.015 | Component Object Model Hijacking Sub-technique | JHUHUGIT has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A}).CitationESET Sednit Part 1CitationTalos Seduploader Oct 2017 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Many strings in JHUHUGIT are obfuscated with a XOR algorithm.CitationF-Secure Sofacy 2015CitationESET Sednit Part 1CitationTalos Seduploader Oct 2017 |
| Enterprise | T1543.003 | Windows Service Sub-technique | JHUHUGIT has registered itself as a service to establish persistence.CitationESET Sednit Part 1 |
| Enterprise | T1055 | Process Injection | JHUHUGIT performs code injection injecting its own functions to browser processes.CitationF-Secure Sofacy 2015CitationUnit 42 Sofacy Feb 2018 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | JHUHUGIT is executed using rundll32.exe.CitationF-Secure Sofacy 2015CitationTalos Seduploader Oct 2017 |
| Enterprise | T1680 | Local Storage Discovery | JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | e921a788f9c0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Sofacy
Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
Open source URL -
[2]
F-Secure Sofacy 2015
F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
Open source URL -
[3]
ESET Sednit Part 1
ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
Open source URL -
[4]
FireEye APT28 January 2017
FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024.
Open source URL -
[5]
GAMEFISH
(Citation: FireEye APT28 January 2017)
-
[6]
JHUHUGIT
(Citation: FireEye APT28 January 2017)
-
[7]
JKEYSKW
(Citation: FireEye APT28 January 2017)
-
[8]
Sednit
This designation has been used in reporting both to refer to the threat group ([APT28](https://attack.mitre.org/groups/G0007)) and its associated malware.(Citation: FireEye APT28 January 2017)
-
[9]
Seduploader
(Citation: FireEye APT28 January 2017)(Citation: Talos Seduploader Oct 2017)
-
[10]
SofacyCarberp
(Citation: Unit 42 Sofacy Feb 2018)
-
[11]
Symantec APT28 Oct 2018
Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
Open source URL -
[12]
Talos Seduploader Oct 2017
Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
Open source URL -
[13]
Trojan.Sofacy
This designation has been used in reporting both to refer to the threat group ([Skeleton Key](https://attack.mitre.org/software/S0007)) and its associated malware.(Citation: Symantec APT28 Oct 2018)
-
[14]
Unit 42 Sofacy Feb 2018
Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
Open source URL -
[15]
mitre-attack S0044Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.