S0085: S-Type
S-Type is a backdoor that was used in Operation Dust Storm since at least 2013.[1]
Analyst context for executives and security teams
S-Type matters because ATT&CK records it as a Windows backdoor used in the long-running Operation Dust Storm campaign. Even with no official detection guidance, its mapped behaviors show a practical intrusion pattern defenders should validate: host discovery, local account and persistence activity, web-based command and control, tool transfer, exfiltration over C2, and cleanup of files or persistence artifacts.
Executive priority
Treat S-Type as a decision prompt for Windows endpoint, identity, network, and incident response readiness rather than as a standalone signature problem. Leaders should ask whether teams can prove collection and response coverage for backdoor behaviors: unusual local account creation, Run Key or Startup Folder persistence, shortcut-based persistence, suspicious command shell use, web C2 with encoded data, ingress tool transfer, and evidence cleanup. This is relevant to resilience and audit evidence because several mapped behaviors affect the ability to preserve forensic records and demonstrate control effectiveness after a suspected compromise.
Technical view
The supplied ATT&CK object has no official detection text and no object-level tactics, but relationships map S-Type to discovery, execution, persistence, command-and-control, exfiltration, and stealth techniques. SOC and IR teams should validate Windows-focused detections for System Service Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Information Discovery, Local Account Discovery, System Language Discovery, Windows Command Shell execution, Native API-linked behaviors where observable, Registry Run Keys/Startup Folder persistence, Shortcut Modification, local account creation, Web Protocols for C2, fallback channels, standard encoding, ingress tool transfer, exfiltration over C2, software packing, masquerading through legitimate names or locations, file deletion, and clearing persistence artifacts.
Likely telemetry
- Windows process creation and command-line telemetry, especially cmd.exe and administrative discovery commands
- Windows registry auditing for Run Keys and related startup persistence locations
- Startup folder and shortcut creation or modification events
- Local user and group creation or modification events
- Endpoint file creation, deletion, rename, and path/name anomaly telemetry
Detection direction
- Prioritize behavior chains over malware naming: discovery commands followed by persistence changes, outbound web C2, tool transfer, or cleanup are more useful than a single indicator when official detection guidance is absent.
- Tune Windows discovery detections carefully because service, account, user, network, and system information queries are common administrative activity; raise confidence when they occur from unusual users, paths, parent processes, or shortly after new executable creation.
- Validate persistence monitoring for both Registry Run Keys/Startup Folder and shortcut modification; these are common blind spots if only service-based persistence is monitored.
- Review local account creation detections for context: legitimate IT provisioning can look similar, so include actor, host role, timing, privilege level, and subsequent logon or command activity.
- For web C2 and exfiltration-over-C2 coverage, confirm that proxy and network logs preserve enough metadata to distinguish unusual destinations, repeated beacon-like patterns, encoded content indicators, or unexpected upload behavior without relying on payload inspection alone.
Mitigation priorities
- Ensure Windows endpoint logging and EDR coverage are in place before relying on detections for this object, since ATT&CK provides no official detection procedure for S-Type.
- Harden and monitor persistence locations, including Run Keys, Startup folders, and shortcut-based startup execution paths.
- Restrict and review local account creation rights; require administrative accountability and alert on unexpected local user additions.
- Apply least privilege and administrative separation so command shell execution, native API abuse, persistence changes, and cleanup activity have fewer opportunities to succeed.
- Control outbound web traffic through monitored egress points and retain proxy/DNS/firewall logs sufficient for C2 and exfiltration investigation.
Analyst notes and limits
The decision value is in the relationship-driven behavior set. S-Type is documented as a Windows backdoor associated with Operation Dust Storm, and ATT&CK maps it to multiple techniques spanning discovery, execution, persistence, command-and-control, exfiltration, and stealth. Coverage assessment should be performed against these behaviors in the local Windows environment rather than assuming a named-malware alert will exist.
The official object description is brief, aliases and labels are not supplied, tactics are not specified at the malware object level, and official detection guidance is not provided. The take therefore avoids claims about current activity, specific indicators, exploit methods, impact, or guaranteed detection. Local telemetry, baselines, and control implementation are required to determine actual exposure and coverage.
S-Type
S-Type is a backdoor that was used in Operation Dust Storm since at least 2013.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | S-Type may save itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.CitationCylance Dust StormCitationMicrosoft DTC |
| Enterprise | T1033 | System Owner/User Discovery | S-Type has run tests to determine the privilege level of the compromised user.CitationCylance Dust Storm |
| Enterprise | T1041 | Exfiltration Over C2 Channel | S-Type has uploaded data and files from a compromised host to its C2 servers.CitationCylance Dust Storm |
| Enterprise | T1105 | Ingress Tool Transfer | S-Type can download additional files onto a compromised host.CitationCylance Dust Storm |
| Enterprise | T1008 | Fallback Channels | S-Type primarily uses port 80 for C2, but falls back to ports 443 or 8080 if initial communication fails.CitationCylance Dust Storm |
| Enterprise | T1071.001 | Web Protocols Sub-technique | S-Type uses HTTP for C2.CitationCylance Dust Storm |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | S-Type has provided the ability to execute shell commands on a compromised host.CitationCylance Dust Storm |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | S-Type has attempted to determine if a compromised system was using a Japanese keyboard via the `GetKeyboardType` API call.CitationCylance Dust Storm |
| Enterprise | T1136.001 | Local Account Sub-technique | S-Type may create a temporary user on the system named `Lost_{Unique Identifier}` with the password `pond~!@6”{Unique Identifier}`.CitationCylance Dust Storm |
| Enterprise | T1070.004 | File Deletion Sub-technique | S-Type has deleted files it has created on a compromised host.CitationCylance Dust Storm |
| Enterprise | T1082 | System Information Discovery | The initial beacon packet for S-Type contains the operating system version and file system of the victim.CitationCylance Dust Storm |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | S-Type uses Base64 encoding for C2 traffic.CitationCylance Dust Storm |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | S-Type may create the file |
| Enterprise | T1027.002 | Software Packing Sub-technique | Some S-Type samples have been packed with UPX.CitationCylance Dust Storm |
| Enterprise | T1070.009 | Clear Persistence Sub-technique | S-Type has deleted accounts it has created.CitationCylance Dust Storm |
| Enterprise | T1016 | System Network Configuration Discovery | S-Type has used `ipconfig /all` on a compromised host.CitationCylance Dust Storm |
| Enterprise | T1007 | System Service Discovery | S-Type runs the command |
| Enterprise | T1106 | Native API | S-Type has used Windows APIs, including `GetKeyboardType`, `NetUserAdd`, and `NetUserDel`.CitationCylance Dust Storm |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key |
| Enterprise | T1087.001 | Local Account Sub-technique | S-Type has run the command `net user` on a victim.CitationCylance Dust Storm |
Groups, software, and campaigns
C0016: Operation Dust Storm
Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.[1]
Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 9f7bd27d9ab4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cylance Dust Storm
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
Open source URL -
[2]
mitre-attack S0085Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.