S0067: pngdowner
pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility. [1]
Analyst context for executives and security teams
pngdowner is a Windows malware entry described by ATT&CK as a simple “download-and-execute” utility used by Putter Panda. Its business significance is not persistence or broad feature depth; it is the role such a lightweight tool can play in moving an intrusion forward while leaving fewer durable host artifacts. Leaders should treat it as a prompt to validate whether the organization can see short-lived malware execution, web-based command-and-control, downloaded payload activity, credential material exposed in files, and post-activity file deletion.
Executive priority
Prioritize this as a coverage-validation item for SOC and incident response readiness rather than as a standalone malware risk. Because ATT&CK provides no official detection text and describes limited functionality with no persistence mechanism, the key executive question is whether existing logging, endpoint response, web egress monitoring, and credential hygiene controls can reconstruct brief download-and-execute activity before artifacts are deleted. This supports incident decision-making, compliance evidence around monitoring, and risk reduction for environments where Windows endpoints are business-critical.
Technical view
For defenders, validate coverage around the supplied Windows platform and relationship context: File Deletion (T1070.004), Web Protocols (T1071.001), and Credentials In Files (T1552.001). Focus on whether endpoint telemetry can show process execution, child-process chains, file creation followed by deletion, and network connections over common web protocols. Network and proxy telemetry should help distinguish ordinary web traffic from unusual executable download or command-and-control patterns. Incident responders should be prepared for limited persistence evidence and should preserve volatile host, endpoint, and network records quickly.
Likely telemetry
- Windows endpoint process execution records, including parent-child process relationships
- File creation, modification, and deletion events on Windows hosts
- Endpoint detection and response alerts or triage artifacts for downloaded executables or short-lived tools
- Proxy, web gateway, firewall, DNS, and network connection logs for HTTP/S or other web-protocol activity
- Command-line, script, and user-context evidence where available
Detection direction
- Do not rely on persistence detections alone; the official description says pngdowner has no persistence mechanism.
- Tune for correlated behavior: downloaded file or tool execution, outbound web-protocol communication, and subsequent file deletion.
- Review false positives from software updaters, administrative scripts, installers, and legitimate cleanup jobs that can also download, execute, and delete files.
- Validate whether endpoint and network logs are retained long enough to investigate short-lived activity after files are removed.
- Use the Putter Panda relationship as threat-intelligence context, but do not treat group attribution as established from telemetry without corroborating evidence.
Mitigation priorities
- Ensure Windows endpoint monitoring and response capabilities capture execution, file deletion, and network connection context.
- Restrict and monitor unnecessary outbound web traffic where business processes allow, with attention to executable downloads and unusual destinations.
- Reduce credential exposure in files through secure storage practices, periodic discovery, and removal of plaintext or embedded credentials where applicable.
- Harden incident response procedures for rapid evidence preservation when malware may not persist on disk.
- Use application control, least privilege, and controlled software execution policies where operationally feasible to reduce unauthorized download-and-execute behavior.
Analyst notes and limits
The most decision-useful interpretation is that pngdowner represents a lightweight operational utility rather than a full-featured persistent implant. The supplied relationship to Putter Panda provides intelligence context, and the technique relationships give defenders practical detection themes: file deletion, web-protocol communication, and credential material in files. Local validation should determine whether these behaviors are visible on Windows endpoints and in network egress telemetry.
This take is limited to the supplied ATT&CK fields, references, and relationships. ATT&CK lists no tactics directly on the malware object, no aliases, and no official detection text. The supplied description does not provide hashes, command syntax, infrastructure, delivery method, or confirmed impact. Technique relationship platform scopes may be broader or different from the malware platform field, so local applicability must be validated before using them as detection requirements.
pngdowner
pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | pngdowner uses HTTP for command and control.CitationCrowdStrike Putter Panda |
| Enterprise | T1070.004 | File Deletion Sub-technique | pngdowner deletes content from C2 communications that was saved to the user's temporary directory.CitationCrowdStrike Putter Panda |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | If an initial connectivity check fails, pngdowner attempts to extract proxy details and credentials from Windows Protected Storage and from the IE Credentials Store. This allows the adversary to use the proxy credentials for subsequent requests if they enable outbound HTTP access.CitationCrowdStrike Putter Panda |
Groups, software, and campaigns
G0024: Putter Panda
Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f3a3ffea096f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CrowdStrike Putter Panda
Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
Open source URL -
[2]
mitre-attack S0067Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.