Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0063: SHOTPUT

SHOTPUT is a custom backdoor used by APT3. [1]

EnterpriseS0063MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

SHOTPUT is a Windows custom backdoor that ATT&CK records as used by APT3. Its business significance is not the malware name alone, but the behaviors linked to it: host, account, file, process, remote system, and network-connection discovery, plus obfuscation. For leaders, this points to post-compromise visibility: can the organization prove it would see a backdoor mapping the environment before follow-on activity becomes harder to contain?

Executive priority

Prioritize SHOTPUT as a validation case for Windows endpoint visibility, incident response readiness, and threat-informed detection around discovery behavior. Because ATT&CK provides no official detection text for this malware, leadership should not assume tool coverage from signature naming alone. Ask whether SOC teams collect and retain enough endpoint and network evidence to reconstruct discovery activity, account enumeration, and suspicious backdoor presence during an incident involving an APT3-associated tool.

Technical view

ATT&CK lists SHOTPUT as Windows malware and relates it to APT3. Relationship context maps it to Remote System Discovery, Obfuscated Files or Information, System Network Connections Discovery, Process Discovery, File and Directory Discovery, and Local Account discovery. SOC and IR teams should validate detections around Windows process execution, file-system enumeration, local account/group enumeration, network connection listing, remote host discovery, and suspicious obfuscated files. Since tactics are not specified on the malware object and official detection is not provided, detection engineering should be behavior-led rather than relying only on malware-family labels.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • Windows file creation, modification, and directory enumeration evidence
  • Local account and local group enumeration events or command activity
  • Network connection telemetry from endpoints, EDR, firewall, proxy, DNS, or network sensors
  • Remote system discovery indicators such as host lookup, network browsing, or scan-like internal discovery activity

Detection direction

  • Validate behavior-based analytics for the ATT&CK-linked techniques rather than depending on a SHOTPUT signature, because MITRE provides no official detection guidance for this object.
  • Correlate discovery behaviors occurring close together on a Windows host: process discovery, file and directory discovery, local account enumeration, network connection discovery, and remote system discovery.
  • Tune for administrative false positives. Many discovery commands and management tools are legitimate; prioritize unusual parent processes, uncommon user context, unexpected workstations or servers, and activity outside normal maintenance patterns.
  • Review whether obfuscated files or encoded/encrypted payload indicators are retained with enough metadata for IR review, including file path, process lineage, and timing.
  • Use the APT3 relationship as threat-intelligence context for prioritization, not as proof of attribution in a local incident without supporting evidence.

Mitigation priorities

  • Confirm Windows endpoint logging and EDR coverage before focusing on malware-family-specific detections.
  • Harden and monitor local account usage, especially unnecessary local accounts and excessive local administrative privileges.
  • Reduce discovery value by maintaining accurate asset inventory, network segmentation, and least-privilege access controls.
  • Ensure incident response playbooks include rapid collection of process lists, network connections, account enumeration evidence, and suspicious files from affected Windows systems.
  • Use threat-informed purple-team or detection validation exercises mapped to the related ATT&CK techniques to identify collection gaps and alert fatigue.
Analyst notes and limits

The supplied ATT&CK object is sparse: it identifies SHOTPUT as a custom backdoor used by APT3, with Windows as the platform, but does not provide malware-specific detection text or tactics on the malware object. The strongest defensive value comes from the relationship-mapped techniques. External references include FireEye reporting and MITRE’s S0063 page; reference labels also include Backdoor.APT.CookieCutter and Pirpi, but the supplied aliases field is empty, so they should not be treated here as confirmed aliases.

This take does not assert current exploitation, victim targeting, impact, or guaranteed detectability. Local conclusions require environment-specific telemetry, baselines, file samples or hashes, and incident evidence. Relationship technique platform lists include non-Windows platforms, but the SHOTPUT object itself is supplied as Windows-only, so platform assumptions should remain Windows-focused for this malware.

Official MITRE ATT&CK definition

SHOTPUT

SHOTPUT is a custom backdoor used by APT3. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Enterprise T1027 Obfuscated Files or Information

SHOTPUT is obscured using XOR encoding and appended to a valid GIF file.CitationFireEye Clandestine WolfCitationPalo Alto CVE-2015-3113 July 2015
Enterprise T1083 File and Directory Discovery

SHOTPUT has a command to obtain a directory listing.CitationPalo Alto CVE-2015-3113 July 2015
Enterprise T1087.001 Local Account Sub-technique

SHOTPUT has a command to retrieve information about connected users.CitationPalo Alto CVE-2015-3113 July 2015
Enterprise T1018 Remote System Discovery

SHOTPUT has a command to list all servers in the domain, as well as one to locate domain controllers on a domain.CitationPalo Alto CVE-2015-3113 July 2015
Enterprise T1049 System Network Connections Discovery

SHOTPUT uses netstat to list TCP connection status.CitationPalo Alto CVE-2015-3113 July 2015
Enterprise T1057 Process Discovery

SHOTPUT has a command to obtain a process listing.CitationPalo Alto CVE-2015-3113 July 2015
Associated objects

Groups, software, and campaigns

Group Enterprise

G0022: APT3

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.[1][2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[1][3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[4]

Relationship explorer

All related ATT&CK context

uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1087.001: Local Account Enterprise uses · Technique T1018: Remote System Discovery Enterprise uses · Technique T1049: System Network Connections Discovery Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Group G0022: APT3 Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
67498e2b445b41b3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 67498e2b445b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye Clandestine Wolf

    Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.

    Open source URL
  2. [2]
    Backdoor.APT.CookieCutter

    (Citation: FireEye Clandestine Fox Part 2)

  3. [3]
    FireEye Clandestine Fox Part 2

    Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.

    Open source URL
  4. [4]
    Pirpi

    (Citation: FireEye Clandestine Fox Part 2)

  5. [5]
    mitre-attack S0063
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use