S0068: httpclient

httpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. [1]

EnterpriseS0068MalwareObject v1.1 Modified Apr 25, 2025, 14:44 UTC (UTC+00:00)

httpclient is a Windows malware entry associated in ATT&CK with Putter Panda. Its business significance is not breadth of features, but its likely role as a second-stage or backup tool: simple malware can still preserve adversary access, execute commands through Windows Command Shell, and communicate over web-like traffic that may blend into normal operations.

Executive priority

Treat this as a coverage-validation item for Windows endpoint visibility, outbound web traffic governance, and incident response readiness. Leaders should ask whether the organization can prove when unusual command-shell activity is paired with suspicious external web communications, and whether encrypted or application-layer command-and-control traffic would be investigated rather than dismissed as normal HTTP/S noise.

Technical view

ATT&CK provides no dedicated detection guidance for httpclient, so validation should be relationship-driven. For Windows systems, confirm telemetry around cmd.exe execution, parent/child process chains, command-line arguments, user context, and network connections from the same host. Because related techniques include Windows Command Shell, Web Protocols, and Symmetric Cryptography, SOC teams should correlate endpoint execution with proxy, DNS, firewall, and network session evidence, especially where command output or tasking may be embedded in web protocol traffic or obscured by encryption.

Likely telemetry

Windows process creation events with command-line detail
Parent/child process relationships involving cmd.exe
Endpoint detection and response alerts or behavioral events
Network connection metadata from Windows hosts
Proxy, web gateway, and firewall logs for outbound HTTP/S or web-like traffic

Detection direction

Validate that Windows command-shell execution is monitored with enough context to distinguish administrative use from suspicious parent processes, unusual users, or unexpected network follow-on activity.
Tune detections to correlate command execution with outbound web protocol communications from the same host rather than relying on either signal alone.
Review blind spots where encrypted or application-layer traffic is allowed outbound with limited inspection, weak logging, or no host-to-network correlation.
Account for false positives from legitimate administration, software deployment, and troubleshooting tools that use cmd.exe and web access.
Use the Putter Panda relationship as threat-intelligence context, not as proof of attribution in a local incident.

Mitigation priorities

Prioritize Windows endpoint logging and EDR coverage for command execution and network activity.
Enforce controlled outbound web access through logged proxies or gateways where practical.
Apply least privilege and administrative access controls to reduce the value of command-shell execution.
Maintain incident response procedures for collecting endpoint, proxy, DNS, and firewall evidence together.
Use threat-informed testing to confirm that second-stage or backup-tool behaviors would be escalated even when the malware has limited functionality.

Analyst notes and limits

The supplied ATT&CK object describes httpclient as a simple tool used by Putter Panda and likely second-stage or supplementary/backup malware. The most useful defensive framing comes from its relationships to Windows Command Shell, Web Protocols, and Symmetric Cryptography rather than from object-specific detection text.

Official detection is not provided, tactics are not specified on the malware object, and no aliases or labels are supplied. This summary does not provide indicators of compromise or assert current exploitation. Local telemetry, asset context, and approved administrative patterns are required to determine actual detection coverage.

Official MITRE ATT&CK definition

httpclient

httpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 3 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	httpclient encrypts C2 content with XOR using a single byte, 0x12.CitationCrowdStrike Putter Panda
Enterprise	T1071.001	Web Protocols Sub-technique	httpclient uses HTTP for command and control.CitationCrowdStrike Putter Panda
Enterprise	T1059.003	Windows Command Shell Sub-technique	httpclient opens cmd.exe on the victim.CitationCrowdStrike Putter Panda

Associated objects

Groups, software, and campaigns

G0024: Putter Panda

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). [1]

Relationship explorer

All related ATT&CK context

uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Group G0024: Putter Panda Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: May 31, 2017, 21:32 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:44 UTC (UTC+00:00)
Raw hash: c4013ba409cce41e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Apr 25, 2025, 14:44 UTC (UTC+00:00)	Current bundle	`c4013ba409cc…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
CrowdStrike Putter Panda

Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
Open source URL
[2]
mitre-attack S0068
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use