S0065: 4H RAT
4H RAT is malware that has been used by Putter Panda since at least 2007. [1]
Analyst context for executives and security teams
4H RAT is a Windows remote access malware family documented by MITRE as used by Putter Panda since at least 2007. Its practical value for defenders is not a single signature, but the behavior pattern around remote command execution, host discovery, file and directory enumeration, and command-and-control over web protocols with symmetric cryptography. For leaders, this matters because those behaviors can turn one compromised Windows endpoint into a source of internal reconnaissance and remote operator control if endpoint, network, and incident response telemetry are incomplete.
Executive priority
Treat this as a validation case for Windows endpoint visibility and command-and-control detection rather than as a standalone malware-name problem. Security leaders should ask whether the SOC can prove coverage for suspicious command shell activity, process and system discovery, file enumeration, and unusual web-based outbound traffic from endpoints. It is also useful for audit and readiness discussions: can the organization show evidence that endpoint logging, network monitoring, and response playbooks would preserve enough detail to investigate a RAT-style intrusion?
Technical view
The supplied ATT&CK relationships connect 4H RAT to Windows Command Shell execution, Process Discovery, System Information Discovery, File and Directory Discovery, Web Protocols for command-and-control, and Symmetric Cryptography for concealed C2 traffic. SOC and IR teams should validate detections around abnormal cmd.exe usage, command-line driven host discovery, enumeration of files and directories, and outbound HTTP/S-like traffic that does not match expected user or application behavior. Because MITRE does not provide an official detection section for this object, detection engineering should be built from the related techniques and then tested against local Windows endpoint and network telemetry.
Likely telemetry
- Windows endpoint process creation events, including parent/child process relationships and command-line arguments
- Command shell execution telemetry for cmd.exe activity
- Host discovery evidence such as process listings, system information queries, and file or directory enumeration
- Endpoint file system access or enumeration logs where available
- Network connection logs from Windows endpoints, especially outbound web protocol traffic
Detection direction
- Map detections to the related ATT&CK techniques instead of relying only on the malware name 4H RAT.
- Tune for suspicious Windows command shell use, especially command execution paired with discovery or enumeration behavior.
- Correlate process discovery, system information discovery, and file/directory discovery when they occur in unusual sequences or under unexpected parent processes.
- Review outbound web protocol traffic from endpoints for uncommon destinations, unusual beacon-like patterns, or traffic inconsistent with the initiating process.
- Account for blind spots created by encrypted C2: payload inspection may not be available, so metadata, endpoint process context, and proxy/DNS correlation become important.
Mitigation priorities
- Prioritize endpoint logging and retention sufficient to reconstruct Windows command execution and discovery behavior.
- Harden and monitor use of Windows command shell where business operations allow, with attention to administrative exceptions.
- Ensure egress monitoring covers endpoint web traffic through proxy, firewall, DNS, or equivalent network controls.
- Maintain incident response procedures for RAT-style activity, including endpoint isolation, process and network triage, credential risk review, and scoping of discovery activity.
- Use the related techniques to test managed detection, SIEM correlation, and IR playbooks rather than depending on a malware-specific alert.
Analyst notes and limits
MITRE identifies 4H RAT as Windows malware used by Putter Panda and provides one cited external reference from CrowdStrike. The object has no official detection text and no tactics listed directly on the malware entry, so this take derives defensive direction from the supplied ATT&CK relationships to execution, discovery, and command-and-control techniques.
This summary does not assert current activity, customer exposure, specific indicators of compromise, guaranteed detection logic, or additional platforms beyond the supplied fields. Local environment baselines, logging configurations, and network architecture are required to determine actual coverage and risk.
4H RAT
4H RAT is malware that has been used by Putter Panda since at least 2007. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | 4H RAT has the capability to obtain file and directory listings.CitationCrowdStrike Putter Panda |
| Enterprise | T1082 | System Information Discovery | 4H RAT sends an OS version identifier in its beacons.CitationCrowdStrike Putter Panda |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | 4H RAT has the capability to create a remote shell.CitationCrowdStrike Putter Panda |
| Enterprise | T1071.001 | Web Protocols Sub-technique | 4H RAT uses HTTP for command and control.CitationCrowdStrike Putter Panda |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | 4H RAT obfuscates C2 communication using a 1-byte XOR with the key 0xBE.CitationCrowdStrike Putter Panda |
| Enterprise | T1057 | Process Discovery | 4H RAT has the capability to obtain a listing of running processes (including loaded modules).CitationCrowdStrike Putter Panda |
Groups, software, and campaigns
G0024: Putter Panda
Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | fa6174799de2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CrowdStrike Putter Panda
Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
Open source URL -
[2]
mitre-attack S0065Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.