S0084: Mis-Type
Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.[1]
Analyst context for executives and security teams
Mis-Type matters because ATT&CK describes it as a Windows backdoor hybrid associated with Operation Dust Storm and linked to behaviors that support persistence, discovery, command-and-control, data staging, and exfiltration. For leaders, the value is not the malware name alone; it is a test case for whether the organization can see a compromised Windows host being surveyed, maintained, used for command execution, and leveraged to move data out over C2 channels.
Executive priority
Treat this as a readiness and control-validation issue rather than a signature-only problem. Executives should ask whether SOC and IR teams can prove visibility across Windows endpoint activity, local account and autostart changes, suspicious command shell use, process injection indicators, and outbound C2-like traffic. The relationship to a long-running espionage campaign makes it relevant to resilience, sensitive-data protection, and audit evidence for monitoring and response capability, but the supplied ATT&CK data does not support claims of current activity or customer exposure.
Technical view
ATT&CK provides no official detection text for Mis-Type, so defenders should validate coverage through its related techniques. In the Windows context supplied for the malware, focus on correlations across Windows Command Shell execution, Native API and Process Injection behaviors, system/user/account/network discovery, local data staging, tool transfer, fallback C2, web-protocol C2, non-application-layer communications, standard encoding, exfiltration over C2, local account creation, and boot/logon autostart persistence. Detection should emphasize behavior chains rather than a single indicator because several mapped techniques can overlap with legitimate administration.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and administrative utilities used for discovery
- EDR or host telemetry for process injection, native API abuse, suspicious parent-child process relationships, and memory-related activity
- File system telemetry for local data staging, unusual file placement, and names or locations that mimic legitimate resources
- Local account and group management logs, including account creation or privilege-related changes
- Registry, service, startup folder, scheduled autostart, and other boot/logon persistence telemetry on Windows
Detection direction
- Build detections around sequences: discovery commands followed by staging, outbound C2, tool transfer, persistence, or exfiltration-like activity.
- Tune Windows command-shell detections to separate routine administration from unusual execution context, user, host, timing, or destination patterns.
- Validate that monitoring covers both application-layer web traffic and less common protocol paths, since related techniques include Web Protocols, Fallback Channels, and Non-Application Layer Protocol.
- Look for local account creation and boot/logon autostart changes in combination with other suspicious host behaviors, not only as isolated events.
- Review blind spots where endpoint controls cannot inspect process injection, encoded C2 content, or encrypted web traffic metadata sufficiently.
Mitigation priorities
- Prioritize reliable Windows endpoint logging and EDR visibility before relying on malware-family-specific indicators.
- Restrict unnecessary local administrator rights and monitor local account creation to reduce persistence opportunities.
- Harden and monitor boot/logon autostart locations and require change-control evidence for legitimate persistence mechanisms.
- Apply application control and execution policy where feasible to reduce unauthorized tool transfer and command execution.
- Enforce egress control and network monitoring so fallback channels, unusual protocols, and unexpected outbound web communications are reviewable.
Analyst notes and limits
The strongest decision value comes from the relationships: Mis-Type is sparse as a standalone ATT&CK malware object, but it maps to a broad behavior set spanning execution, persistence, privilege escalation, defense evasion/stealth, discovery, collection, command-and-control, and exfiltration. Detection engineering should therefore use technique coverage validation and local baselining rather than depend on a supplied ATT&CK detection recommendation.
Official ATT&CK detection guidance is not provided. The malware object lists Windows as the platform and has no explicit malware-level tactics, so platform and tactic interpretation should remain tied to the supplied relationships and local evidence. The supplied fields support historical use in Operation Dust Storm by 2012, not current exploitation, attribution in a given incident, or guaranteed detection coverage.
Mis-Type
Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1106 | Native API | Mis-Type has used Windows API calls, including `NetUserAdd` and `NetUserDel`.CitationCylance Dust Storm |
| Enterprise | T1547 | Boot or Logon Autostart Execution | Mis-Type has created registry keys for persistence, including `HKCU\Software\bkfouerioyou`, `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6afa8072-b2b1-31a8-b5c1-{Unique Identifier}`, and `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3BF41072-B2B1-31A8-B5C1-{Unique Identifier}`.CitationCylance Dust Storm |
| Enterprise | T1016 | System Network Configuration Discovery | Mis-Type may create a file containing the results of the command |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Mis-Type has used `cmd.exe` to run commands on a compromised host.CitationCylance Dust Storm |
| Enterprise | T1105 | Ingress Tool Transfer | Mis-Type has downloaded additional malware and files onto a compromised host.CitationCylance Dust Storm |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Mis-Type saves itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.CitationCylance Dust StormCitationMicrosoft DTC |
| Enterprise | T1136.001 | Local Account Sub-technique | Mis-Type may create a temporary user on the system named `Lost_{Unique Identifier}`.CitationCylance Dust Storm |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Mis-Type uses Base64 encoding for C2 traffic.CitationCylance Dust Storm |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Mis-Type network traffic can communicate over HTTP.CitationCylance Dust Storm |
| Enterprise | T1033 | System Owner/User Discovery | Mis-Type runs tests to determine the privilege level of the compromised user.CitationCylance Dust Storm |
| Enterprise | T1087.001 | Local Account Sub-technique | Mis-Type may create a file containing the results of the command |
| Enterprise | T1008 | Fallback Channels | Mis-Type first attempts to use a Base64-encoded network protocol over a raw TCP socket for C2, and if that method fails, falls back to a secondary HTTP-based protocol to communicate to an alternate C2 server.CitationCylance Dust Storm |
| Enterprise | T1005 | Data from Local System | Mis-Type has collected files and data from a compromised host.CitationCylance Dust Storm |
| Enterprise | T1082 | System Information Discovery | The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.CitationCylance Dust Storm |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Mis-Type has transmitted collected files and data to its C2 server.CitationCylance Dust Storm |
| Enterprise | T1095 | Non-Application Layer Protocol | Mis-Type network traffic can communicate over a raw socket.CitationCylance Dust Storm |
| Enterprise | T1055 | Process Injection | Mis-Type has been injected directly into a running process, including `explorer.exe`.CitationCylance Dust Storm |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Mis-Type has temporarily stored collected information to the files `“%AppData%\{Unique Identifier}\HOSTRURKLSR”` and `“%AppData%\{Unique Identifier}\NEWERSSEMP”`.CitationCylance Dust Storm |
Groups, software, and campaigns
C0016: Operation Dust Storm
Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.[1]
Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 0506573bf7f0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cylance Dust Storm
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
Open source URL -
[2]
mitre-attack S0084Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.