S0083: Misdat
Misdat is a backdoor that was used in Operation Dust Storm from 2010 to 2011.[1]
Analyst context for executives and security teams
Misdat matters because ATT&CK records it as a Windows backdoor historically used in Operation Dust Storm, a long-running cyber espionage campaign. The value for leaders is not the malware name itself, but the defensive pattern it represents: endpoint persistence, host discovery, local data collection, command-and-control, tool transfer, cleanup, and exfiltration over the same C2 channel.
Executive priority
Prioritize Misdat as a validation case for espionage-oriented intrusion readiness on Windows endpoints. Security leaders should ask whether the organization can prove visibility across persistence, command shell execution, suspicious C2, file staging/deletion, timestamp manipulation, and data exfiltration behaviors. This is especially relevant for incident response evidence preservation and audit conversations about endpoint monitoring and data protection controls.
Technical view
ATT&CK provides no official detection text for Misdat, so SOC and detection teams should use the mapped behaviors as the validation scope. On Windows, test whether controls observe Boot or Logon Autostart Execution, Windows Command Shell activity, Native API-linked execution patterns, System Information Discovery, File and Directory Discovery, System Language Discovery, Data from Local System, Ingress Tool Transfer, Non-Application Layer Protocol C2, Standard Encoding, Exfiltration Over C2 Channel, Software Packing, masquerading via legitimate-looking names or locations, File Deletion, Timestomp, and Clear Persistence. Correlating these behaviors is more useful than relying on a single malware signature.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Autostart and persistence location monitoring, including startup-related registry or service changes where collected
- File creation, deletion, rename, path, and metadata/timestamp telemetry
- Endpoint security alerts for packed or obfuscated executables
- Network flow and protocol metadata for unusual C2 patterns, including non-application-layer or encoded communications where visible
Detection direction
- Build detections around behavior chains: discovery followed by local file access, tool transfer, outbound C2, and cleanup is higher fidelity than any one event alone.
- Tune Windows command shell monitoring for unusual parent-child process relationships, suspicious execution paths, and discovery commands, while accounting for administrator and software management activity.
- Validate coverage for masquerading and trusted-directory abuse by comparing executable names, paths, signatures, and expected baselines.
- Confirm whether file deletion and timestomping are retained in telemetry long enough for incident reconstruction; these behaviors can erase or distort evidence.
- Review network detection assumptions: exfiltration over an existing C2 channel and standard encoding may not be obvious from payload inspection alone, especially where encryption or limited packet capture exists.
Mitigation priorities
- Harden and monitor Windows autostart locations and restrict unnecessary write access to trusted directories.
- Apply least privilege and application control where feasible to reduce unauthorized command shell, tool transfer, and unknown executable execution.
- Strengthen endpoint logging retention and centralization so deletion, timestomping, and persistence cleanup do not eliminate investigative evidence.
- Limit and monitor outbound network paths, especially unusual protocols or destinations not required for business operations.
- Protect sensitive local data through access controls, data minimization, and monitoring of unusual file enumeration or access patterns.
Analyst notes and limits
The ATT&CK object identifies Misdat as a backdoor used in Operation Dust Storm from 2010 to 2011 and links it to multiple ATT&CK techniques. The strongest defensive use is as a coverage checklist for Windows backdoor tradecraft rather than as a standalone indicator-driven detection item.
MITRE provides no official detection guidance in the supplied object, and the malware description is brief. Technique relationships describe possible observed behaviors, not guaranteed activity in every incident. Local environment baselines, telemetry depth, and retention determine whether these behaviors can be detected or investigated.
Misdat
Misdat is a backdoor that was used in Operation Dust Storm from 2010 to 2011.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Misdat saves itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.CitationCylance Dust StormCitationMicrosoft DTC |
| Enterprise | T1083 | File and Directory Discovery | Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.CitationCylance Dust Storm |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Misdat has uploaded files and data to its C2 servers.CitationCylance Dust Storm |
| Enterprise | T1095 | Non-Application Layer Protocol | Misdat network traffic communicates over a raw socket.CitationCylance Dust Storm |
| Enterprise | T1005 | Data from Local System | Misdat has collected files and data from a compromised host.CitationCylance Dust Storm |
| Enterprise | T1070.004 | File Deletion Sub-technique | Misdat is capable of deleting the backdoor file.CitationCylance Dust Storm |
| Enterprise | T1070.009 | Clear Persistence Sub-technique | Misdat is capable of deleting Registry keys used for persistence.CitationCylance Dust Storm |
| Enterprise | T1082 | System Information Discovery | The initial beacon packet for Misdat contains the operating system version of the victim.CitationCylance Dust Storm |
| Enterprise | T1547 | Boot or Logon Autostart Execution | Misdat has created registry keys for persistence, including `HKCU\Software\dnimtsoleht\StubPath`, `HKCU\Software\snimtsOleht\StubPath`, `HKCU\Software\Backtsaleht\StubPath`, `HKLM\SOFTWARE\Microsoft\Active Setup\Installed. Components\{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7}`, and `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}`.CitationCylance Dust Storm |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Misdat network traffic is Base64-encoded plaintext.CitationCylance Dust Storm |
| Enterprise | T1105 | Ingress Tool Transfer | Misdat is capable of downloading files from the C2.CitationCylance Dust Storm |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Misdat is capable of providing shell functionality to the attacker to execute commands.CitationCylance Dust Storm |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | Misdat has attempted to detect if a compromised host had a Japanese keyboard via the Windows API call `GetKeyboardType`.CitationCylance Dust Storm |
| Enterprise | T1027.002 | Software Packing Sub-technique | Misdat was typically packed using UPX.CitationCylance Dust Storm |
| Enterprise | T1070.006 | Timestomp Sub-technique | Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file.CitationCylance Dust Storm |
| Enterprise | T1106 | Native API | Misdat has used Windows APIs, including `ExitWindowsEx` and `GetKeyboardType`.CitationCylance Dust Storm |
Groups, software, and campaigns
C0016: Operation Dust Storm
Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.[1]
Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 0bea1555997d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cylance Dust Storm
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
Open source URL -
[2]
mitre-attack S0083Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.