S0062: DustySky
Analyst context for executives and security teams
DustySky matters because it represents a multi-stage Windows .NET malware family with behaviors that span persistence, discovery, credential collection, data staging, exfiltration, command-and-control resilience, and cleanup. For leaders, the practical question is not whether the name is detected, but whether Windows endpoint, network, removable media, and incident response evidence would expose the behaviors MITRE associates with it before collected data leaves through web-based C2 channels.
Executive priority
Prioritize this as a control-validation and readiness issue for Windows environments, especially where politically motivated targeting or regional exposure is relevant to risk planning. The ATT&CK relationships point to business risks around credential theft, data loss, persistence, lateral movement, and removable-media spread. Executives should ask whether the organization can prove coverage for WMI execution, Run key persistence, web-protocol C2, local data staging, archive creation, keylogging/screen capture indicators, and post-activity file deletion. This is also useful audit evidence: it tests whether logging, endpoint controls, egress monitoring, removable media policy, and IR playbooks work together rather than in isolation.
Technical view
ATT&CK lists DustySky as Windows malware written in .NET and used by Molerats, with no official detection text provided. Detection engineering should therefore pivot from the malware name to the related behaviors: T1547.001 Registry Run Keys / Startup Folder, T1047 WMI execution, T1071.001 Web Protocols and T1008 fallback C2, T1041 exfiltration over C2, T1056.001 keylogging, T1113 screen capture, T1074.001 local staging, T1560.001 archiving, T1070.004 file deletion, T1091 removable media replication, T1570 lateral tool transfer, and multiple discovery techniques. SOC teams should validate correlated Windows host activity plus network egress patterns, rather than relying on one IOC or one alert type.
Likely telemetry
- Windows process creation and command-line telemetry, including WMI-related execution
- Registry modification events for Run keys and Startup Folder persistence locations
- Endpoint file creation, modification, archive creation, staging directory activity, and file deletion events
- Network proxy, DNS, firewall, and TLS/HTTP metadata for web-protocol C2 and fallback communications
- Data transfer volume and timing indicators that may support exfiltration-over-C2 investigations
Detection direction
- Build behavior-based detections mapped to the related ATT&CK techniques because MITRE provides no official detection guidance for DustySky.
- Correlate persistence plus execution plus network activity: Run key or Startup Folder changes followed by WMI/process execution and outbound web traffic is higher value than any single weak signal.
- Tune web-protocol C2 analytics carefully because HTTP/S is common; prioritize unusual destinations, repeated fallback behavior, beacon-like patterns, and host context from endpoint alerts.
- Look for collection chains: discovery activity followed by local staging, archive creation, and outbound transfer over the same C2 channel.
- Validate visibility into cleanup behavior such as file deletion after tool execution or staging, since this can remove local evidence needed for incident response.
Mitigation priorities
- Start with Windows endpoint control and logging coverage for process execution, WMI, registry persistence, file operations, removable media, and outbound network activity.
- Harden and monitor WMI and other administrative pathways so legitimate management remains observable and abnormal use can be investigated.
- Control persistence opportunities by monitoring and restricting unauthorized changes to Run keys and Startup Folder locations.
- Apply egress filtering and proxy/DNS visibility to reduce blind spots around web-protocol command-and-control and exfiltration over existing C2 channels.
- Enforce removable media governance where business processes allow, including logging, restriction, or approval workflows for USB use.
Analyst notes and limits
The relationship set gives this malware broad defensive relevance even though the malware object itself has no tactics listed and no official detection section. The most useful Glexia takeaway is to test whether defenders can connect Windows host telemetry, C2/network evidence, collection activity, removable-media events, and cleanup behavior into one investigation path. The Molerats relationship supplies threat-intelligence context, but local exposure, targeting relevance, and current activity must be established from the organization’s own intelligence and telemetry.
This take is limited to the supplied ATT&CK STIX fields, references, and relationships. It does not assert current exploitation, customer exposure, specific indicators, malware internals beyond .NET and multi-stage characterization, or guaranteed detection coverage. Several related technique platform lists are broader than the DustySky object platform; defensive validation here should be anchored on the supplied DustySky platform of Windows unless local evidence justifies expanding scope.
DustySky
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | DustySky has used both HTTP and HTTPS for C2.CitationDustySky |
| Enterprise | T1518 | Software Discovery | DustySky lists all installed software for the infected machine.CitationKaspersky MoleRATs April 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | DustySky can delete files it creates from the infected system.CitationKaspersky MoleRATs April 2019 |
| Enterprise | T1091 | Replication Through Removable Media | DustySky searches for removable media and duplicates itself onto it.CitationDustySky |
| Enterprise | T1027 | Obfuscated Files or Information | The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware.CitationDustySky |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | DustySky can compress files via RAR while staging data to be exfiltrated.CitationKaspersky MoleRATs April 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | DustySky has exfiltrated data to the C2 server.CitationKaspersky MoleRATs April 2019 |
| Enterprise | T1056.001 | Keylogging Sub-technique | DustySky contains a keylogger.CitationDustySky |
| Enterprise | T1120 | Peripheral Device Discovery | DustySky can detect connected USB devices.CitationKaspersky MoleRATs April 2019 |
| Enterprise | T1047 | Windows Management Instrumentation | The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.CitationDustySky |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | DustySky created folders in temp directories to host collected files before exfiltration.CitationKaspersky MoleRATs April 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | DustySky achieves persistence by creating a Registry entry in |
| Enterprise | T1113 | Screen Capture | DustySky captures PNG screenshots of the main screen.CitationKaspersky MoleRATs April 2019 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | DustySky checks for the existence of anti-virus.CitationDustySky |
| Enterprise | T1570 | Lateral Tool Transfer | DustySky searches for network drives and removable media and duplicates itself onto them.CitationDustySky |
| Enterprise | T1008 | Fallback Channels | DustySky has two hard-coded domains for C2 servers; if the first does not respond, it will try the second.CitationDustySky |
| Enterprise | T1082 | System Information Discovery | DustySky extracts basic information about the operating system.CitationDustySky |
| Enterprise | T1057 | Process Discovery | DustySky collects information about running processes from victims.CitationDustySkyCitationKaspersky MoleRATs April 2019 |
| Enterprise | T1083 | File and Directory Discovery | DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.CitationDustySkyCitationKaspersky MoleRATs April 2019 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 3258afb10e8c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
DustySky
ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
Open source URL -
[2]
DustySky2
ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.
Open source URL -
[3]
Kaspersky MoleRATs April 2019
GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
Open source URL -
[4]
mitre-attack S0062Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.