S0066: 3PARA RAT
3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. [1]
Analyst context for executives and security teams
3PARA RAT is a Windows remote access tool associated in ATT&CK with Putter Panda. Its practical significance is not just “malware exists,” but that it represents a post-compromise remote access capability with behaviors defenders should be able to validate: web-protocol command and control, encrypted C2, file and directory discovery, and timestamp manipulation to hide artifacts.
Executive priority
Treat this as a coverage-validation object for Windows endpoint resilience and SOC readiness. Leaders should ask whether the organization can prove it collects and retains the endpoint and network evidence needed to investigate remote access malware that blends into web traffic and alters file timestamps. This is relevant to incident response speed, audit evidence for monitoring controls, and prioritization of endpoint and network detection engineering.
Technical view
ATT&CK does not provide a dedicated detection section for 3PARA RAT, so teams should derive validation from the mapped behaviors: T1071.001 Web Protocols, T1573.001 Symmetric Cryptography, T1083 File and Directory Discovery, and T1070.006 Timestomp. For Windows environments, validate visibility into suspicious process activity, outbound web-like traffic from unusual processes, encrypted or opaque C2 patterns, file system enumeration, and timestamp inconsistencies in file metadata. Relationship context notes use by Putter Panda, but local detections should focus on observable behaviors rather than attribution assumptions.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Endpoint file creation, modification, and metadata/timestamp records
- File system enumeration activity from processes not normally performing discovery
- Network connection logs for outbound HTTP/S or other web-protocol traffic
- Proxy, firewall, DNS, and web gateway logs showing destination, user, host, process where available
Detection direction
- Validate that Windows endpoint telemetry can connect process activity to outbound web-protocol connections.
- Tune for unusual web traffic from processes that do not normally initiate external communications, while accounting for legitimate software updaters, browsers, and enterprise agents.
- Look for file and directory discovery patterns occurring before or alongside suspicious network activity.
- Review timestamp anomalies where file create, modify, access, or MFT-related metadata are inconsistent with surrounding files or expected install times.
- Because official ATT&CK detection text is not provided, avoid relying on a single malware signature; prioritize behavior-based detections mapped to the related techniques.
Mitigation priorities
- Prioritize baseline Windows endpoint logging and EDR coverage before relying on higher-level analytics.
- Restrict and monitor unnecessary outbound web traffic, especially from servers or user endpoints where only known applications should communicate externally.
- Maintain proxy, DNS, firewall, and endpoint log retention sufficient for incident reconstruction.
- Harden least-privilege access and administrative controls so remote access malware has less ability to persist, discover, or manipulate files.
- Include timestomping and encrypted/web-protocol C2 scenarios in incident response and detection validation exercises.
Analyst notes and limits
The supplied ATT&CK object identifies 3PARA RAT as a C++ RAT used by Putter Panda and provides relationships to four techniques: Timestomp, Web Protocols, File and Directory Discovery, and Symmetric Cryptography. The most useful defensive value is to test whether those behaviors are visible and actionable in the local Windows environment.
ATT&CK does not provide official detection guidance, aliases, labels, or object-level tactics for 3PARA RAT in the supplied fields. The object supports Windows as the malware platform; broader platform references come from related techniques and should not be assumed for this malware without additional evidence. No claim is made here about current activity, customer exposure, or guaranteed detection.
3PARA RAT
3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | 3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS. 3PARA RAT will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS if the DES decoding failsCitationCrowdStrike Putter Panda |
| Enterprise | T1071.001 | Web Protocols Sub-technique | 3PARA RAT uses HTTP for command and control.CitationCrowdStrike Putter Panda |
| Enterprise | T1083 | File and Directory Discovery | 3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.CitationCrowdStrike Putter Panda |
| Enterprise | T1070.006 | Timestomp Sub-technique | 3PARA RAT has a command to set certain attributes such as creation/modification timestamps on files.CitationCrowdStrike Putter Panda |
Groups, software, and campaigns
G0024: Putter Panda
Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | d59d8467d5da… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CrowdStrike Putter Panda
Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
Open source URL -
[2]
mitre-attack S0066Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.