S0073: ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [1]
Analyst context for executives and security teams
ASPXSpy matters because it is a Windows web shell: a small server-side foothold that can turn an exposed web application or web server into persistent remote access. For leaders, the business issue is not the specific malware name alone, but whether externally reachable Windows web services are monitored well enough to prove that unauthorized scripts, abnormal web requests, and post-compromise activity would be noticed quickly.
Executive priority
Treat ASPXSpy as a validation point for web server resilience, incident response readiness, and evidence quality. The ATT&CK relationships connect it to multiple espionage-related groups and the Night Dragon campaign, including sectors such as energy, petrochemical, government, defense, technology, healthcare, telecom, finance, education, and others. This does not mean any organization is currently targeted, but it does justify prioritizing controls and logging for internet-facing Windows web infrastructure, especially where business-critical, regulated, executive, financial, or cyber-physical data is reachable from those systems.
Technical view
MITRE identifies ASPXSpy as malware and a web shell on Windows, with a relationship to ATT&CK technique T1505.003 Web Shell under persistence. SOC and IR teams should validate coverage around Windows web servers rather than relying on a malware-family signature alone. Key questions: can defenders identify newly created or modified web-accessible script files, suspicious child processes spawned by the web service account, unusual inbound HTTP/S patterns, and outbound connections from web server processes? Because the object has no official ATT&CK detection text, local detection engineering should be anchored to web shell behavior and the related T1505.003 context, then tested against the organization’s own IIS/web application architecture and change practices.
Likely telemetry
- Web server access logs for unusual requests, parameters, user agents, source IP patterns, and authentication context
- Windows file creation and modification events in web content directories
- Process creation telemetry showing web server worker processes launching command interpreters, scripting engines, or administrative tools
- Endpoint security alerts and file integrity monitoring on Windows web servers
- Network telemetry for unexpected outbound connections initiated by web servers
Detection direction
- Validate that externally reachable Windows web servers are included in endpoint, file integrity, web, and network monitoring scope.
- Tune detections for web shell behavior associated with T1505.003, including unauthorized web-accessible scripts and abnormal execution by web service processes.
- Correlate web requests with subsequent host activity; a suspicious request followed by process execution or file changes on the same server is higher value than either signal alone.
- Account for false positives from legitimate deployments, administrative scripts, vulnerability scanners, and application maintenance by comparing against approved release windows and known paths.
- Do not depend only on ASPXSpy naming or hash-based detection; the official description notes modification into ASPXTool, and web shells are often altered.
Mitigation priorities
- Inventory and prioritize internet-facing Windows web servers and applications, especially those supporting critical business, regulated, executive, or operational data.
- Harden web server permissions so application identities cannot write broadly to executable web directories unless required.
- Implement file integrity monitoring and alerting for web-accessible directories and configuration files.
- Ensure timely patching and vulnerability management for exposed web applications and supporting server components.
- Restrict outbound network access from web servers to only required destinations where feasible.
Analyst notes and limits
The strongest decision value is coverage validation for web shell persistence on Windows web infrastructure. ATT&CK links ASPXSpy to Night Dragon and several named groups, but the provided object does not include tactics beyond the related Web Shell technique, detection guidance, procedures, indicators, or exploitation details. Use the relationships to inform risk discussions and hunting priorities, not to make attribution claims.
Official detection is not provided. The object lists Windows as the platform for ASPXSpy, while the related Web Shell technique spans additional platforms; this take limits platform-specific guidance to Windows. No active exploitation, customer exposure, specific vulnerability, or guaranteed detection coverage is asserted from the supplied fields.
ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1505.003 | Web Shell Sub-technique | ASPXSpy is a Web shell. The ASPXTool version used by Threat Group-3390 has been deployed to accessible servers running Internet Information Services (IIS).CitationDell TG-3390 |
Groups, software, and campaigns
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
G0125: HAFNIUM
HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.[1][2][3]
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
G0087: APT39
APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[1][2][3][4][5]
G1030: Agrius
C0002: Night Dragon
Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | f838adb7e93e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Dell TG-3390
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
Open source URL -
[2]
mitre-attack S0073Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.