S0069: BLACKCOFFEE
BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. [1] [2]
Analyst context for executives and security teams
BLACKCOFFEE matters because ATT&CK ties this Windows malware to espionage-oriented actors and to behaviors that support hands-on intrusion activity: command execution, discovery, file cleanup, and web-service-based command and control. For leaders, the practical issue is not the malware name alone; it is whether the organization can see a Windows host discovering its environment, running command shell activity, deleting traces, and communicating through legitimate-looking web services.
Executive priority
Prioritize BLACKCOFFEE as a validation case for Windows endpoint visibility, outbound web monitoring, and incident response readiness. The supplied ATT&CK relationships connect it to Leviathan and APT41 and to techniques that can affect investigations by hiding activity or blending command-and-control traffic with normal web use. Executives should ask whether SOC and IR teams can produce evidence for process execution, file discovery, file deletion, and unusual external web-service communications during an intrusion review.
Technical view
ATT&CK lists BLACKCOFFEE as Windows malware with no standalone detection guidance, so defenders should pivot from the malware object to its related techniques: T1059.003 Windows Command Shell, T1057 Process Discovery, T1083 File and Directory Discovery, T1070.004 File Deletion, T1102.001 Dead Drop Resolver, T1102.002 Bidirectional Communication, and T1104 Multi-Stage Channels. SOC teams should validate host telemetry for command shell execution and discovery commands, file deletion events relevant to intrusion artifacts, and network telemetry for staged or bidirectional communications through legitimate external web services. Because the malware object has no ATT&CK tactics specified, detection engineering should be technique-led rather than name-led.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Parent-child process relationships involving Windows command shell activity
- File and directory enumeration evidence from endpoint logs or EDR
- File deletion telemetry, especially around recently created tools or artifacts
- DNS, proxy, firewall, and web gateway logs for outbound web-service access
Detection direction
- Build or review analytics mapped to the related techniques rather than relying on a BLACKCOFFEE signature alone.
- Correlate command shell execution with process discovery, file/directory discovery, and subsequent deletion activity on the same Windows host.
- Review outbound web traffic for legitimate web services being used in ways inconsistent with user or host baselines, while accounting for high false-positive potential from normal business web use.
- Look for multi-stage communication patterns where an initial web destination appears to lead to additional command-and-control infrastructure or follow-on activity.
- Use the Leviathan and APT41 relationships as threat-intelligence context for prioritization, not as proof of attribution in a local incident.
Mitigation priorities
- Ensure Windows endpoint logging and EDR coverage captures process creation, command lines, file activity, and deletion events needed for investigation.
- Harden and monitor command shell usage according to administrative need; reduce unnecessary interactive shell access where feasible.
- Improve outbound web controls and logging so legitimate external services can be reviewed for suspicious resolver or bidirectional command patterns.
- Prepare IR playbooks that preserve volatile endpoint and network evidence before file deletion or cleanup activity reduces forensic visibility.
- Use the related ATT&CK techniques to test detection coverage and document evidence for compliance or control assurance activities.
Analyst notes and limits
The strongest decision value comes from the relationships: BLACKCOFFEE is associated with Windows and uses techniques spanning execution, discovery, stealth, and command-and-control. The object is also related to Leviathan and APT41, but local investigations should not infer actor attribution solely from malware or technique overlap.
MITRE provides no official detection text for this object, no aliases, no labels, and no tactics directly on the malware object. The supplied description is brief, so this take avoids claims about current activity, specific indicators, victim exposure, or guaranteed detection. Local telemetry and environment baselines are required to determine actual coverage.
BLACKCOFFEE
BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. [1] [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | BLACKCOFFEE has the capability to enumerate files.CitationFireEye APT17 |
| Enterprise | T1104 | Multi-Stage Channels | BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain an encoded tag containing the IP address of a command and control server and then communicates separately with that IP address for C2. If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims’ machines.CitationFireEye APT17 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | BLACKCOFFEE has the capability to create a reverse shell.CitationFireEye APT17 |
| Enterprise | T1057 | Process Discovery | BLACKCOFFEE has the capability to discover processes.CitationFireEye APT17 |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server.CitationFireEye APT17CitationFireEye Periscope March 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | BLACKCOFFEE has the capability to delete files.CitationFireEye APT17 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | BLACKCOFFEE has also obfuscated its C2 traffic as normal traffic to sites such as Github.CitationFireEye APT17CitationFireEye Periscope March 2018 |
Groups, software, and campaigns
G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
G0025: APT17
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 8e5d22309691… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT17
FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved November 17, 2024.
Open source URL -
[2]
FireEye Periscope March 2018
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
Open source URL -
[3]
BLACKCOFFEE
(Citation: FireEye APT17) (Citation: FireEye Periscope March 2018)
-
[4]
mitre-attack S0069Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.