S0070: HTTPBrowser
HTTPBrowser is malware that has been used by several threat groups. [1] [2] It is believed to be of Chinese origin. [3]
Analyst context for executives and security teams
HTTPBrowser is a Windows malware family in ATT&CK that has been reported as used by multiple threat groups. Its practical significance is not the name of the malware, but the behaviors ATT&CK associates with it: persistence through Run keys or Startup folders, command execution through Windows command shell, credential collection via keylogging, web/DNS-based command-and-control, tool transfer, file discovery, file deletion, obfuscation, and DLL abuse. For leaders, this represents the kind of intrusion tooling that can turn an endpoint compromise into longer dwell time, credential exposure, and harder incident reconstruction.
Executive priority
Prioritize validation around Windows endpoint visibility, identity risk from possible keylogging, and network monitoring for common web and DNS command-and-control patterns. Because ATT&CK provides no official detection text for HTTPBrowser, leadership should not ask whether the organization has a single named-malware alert; they should ask whether SOC and IR teams can prove coverage for the associated behaviors, preserve evidence when files are deleted, and investigate persistence, command execution, and credential-access activity quickly enough to support business continuity and compliance reporting.
Technical view
ATT&CK lists HTTPBrowser as Windows malware and relates it to techniques including T1547.001 Registry Run Keys / Startup Folder, T1059.003 Windows Command Shell, T1056.001 Keylogging, T1071.001 Web Protocols, T1071.004 DNS, T1105 Ingress Tool Transfer, T1083 File and Directory Discovery, T1070.004 File Deletion, T1027 Obfuscated Files or Information, T1036.005 Match Legitimate Resource Name or Location, and T1574.001 DLL. SOC teams should validate behavior-based detections rather than relying on malware naming alone: suspicious autorun changes, unusual cmd.exe activity, anomalous DLL loading or placement, unexpected file enumeration, tool downloads, deletion of staging artifacts, and endpoint processes making unusual HTTP/S or DNS communications.
Likely telemetry
- Windows endpoint process creation telemetry, especially cmd.exe and parent/child process context
- Windows Registry and Startup folder change events for persistence validation
- File creation, modification, deletion, and directory enumeration telemetry
- DLL load and module path telemetry where available
- Endpoint security alerts for obfuscated or renamed files and suspicious resource locations
Detection direction
- Map detections to the related ATT&CK techniques instead of depending on an HTTPBrowser signature or family name.
- Tune Windows command shell detections for unusual parent processes, rare command patterns, and execution from suspicious locations while accounting for administrator and software-management activity.
- Validate monitoring for Run key and Startup folder persistence, including user-context autoruns that may be overlooked by server-focused controls.
- Review DNS and web egress analytics for unusual destinations, rare domains, abnormal beacon-like patterns, or endpoint processes that normally should not initiate external communications.
- Correlate file deletion with prior tool transfer, command execution, or discovery activity to avoid treating cleanup as benign housekeeping.
Mitigation priorities
- Strengthen Windows endpoint logging and retention first, because the ATT&CK object does not provide official detection guidance and several related behaviors require host evidence.
- Harden and monitor autorun locations such as Registry Run keys and Startup folders.
- Restrict and monitor unnecessary command shell use where operationally feasible.
- Apply least privilege and credential-protection practices to reduce the value of keylogging and user-context persistence.
- Control outbound web and DNS traffic through monitored egress paths and investigate endpoints with unusual external communications.
Analyst notes and limits
The relationship context is useful for defensive planning: ATT&CK associates HTTPBrowser with APT18 and Threat Group-3390, and with multiple techniques spanning persistence, execution, credential access, discovery, command-and-control, defense evasion, and tool transfer. Glexia would treat this as a behavior-coverage validation exercise for Windows estates, especially where executives need evidence that endpoint, DNS, web, and identity-adjacent telemetry can support incident decisions.
ATT&CK provides no official detection text, no aliases, no explicit tactics on the malware object, and only Windows as the platform for HTTPBrowser. Related technique platform lists include non-Windows platforms, but those should not be interpreted as HTTPBrowser platform support. The supplied data supports historical reporting and ATT&CK relationships, not claims of current active exploitation, customer exposure, or guaranteed detection coverage.
HTTPBrowser
HTTPBrowser is malware that has been used by several threat groups. [1] [2] It is believed to be of Chinese origin. [3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | HTTPBrowser is capable of writing a file to the compromised system from the C2 server.CitationDell TG-3390 |
| Enterprise | T1574.001 | DLL Sub-technique | HTTPBrowser abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll.CitationZScaler Hacking Team HTTPBrowser has also used DLL side-loading.CitationDell TG-3390 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | HTTPBrowser has established persistence by setting the |
| Enterprise | T1027 | Obfuscated Files or Information | HTTPBrowser's code may be obfuscated through structured exception handling and return-oriented programming.CitationDell TG-3390 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | HTTPBrowser is capable of spawning a reverse shell on a victim.CitationDell TG-3390 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.CitationZScaler Hacking Team |
| Enterprise | T1071.004 | DNS Sub-technique | HTTPBrowser has used DNS for command and control.CitationDell TG-3390CitationThreatStream Evasion Analysis |
| Enterprise | T1083 | File and Directory Discovery | HTTPBrowser is capable of listing files, folders, and drives on a victim.CitationDell TG-3390CitationZScaler Hacking Team |
| Enterprise | T1056.001 | Keylogging Sub-technique | HTTPBrowser is capable of capturing keystrokes on victims.CitationDell TG-3390 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | HTTPBrowser has used HTTP and HTTPS for command and control.CitationDell TG-3390CitationThreatStream Evasion Analysis |
| Enterprise | T1070.004 | File Deletion Sub-technique | HTTPBrowser deletes its original installer file once installation is complete.CitationZScaler Hacking Team |
Groups, software, and campaigns
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
G0026: APT18
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 4e212c6116ae… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ThreatStream Evasion Analysis
Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
Open source URL -
[2]
Dell TG-3390
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
Open source URL -
[3]
ThreatConnect Anthem
ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
Open source URL -
[4]
HttpDump
(Citation: ThreatConnect Anthem)
-
[5]
mitre-attack S0070Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.