S0109: WEBC2

WEBC2 is a family of backdoor malware used by APT1 as early as July 2006. WEBC2 backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. [1][2]

EnterpriseS0109MalwareObject v2.0 Modified Dec 26, 2023, 19:55 UTC (UTC+00:00)

WEBC2 matters because it represents a Windows backdoor pattern where command-and-control instructions are pulled from a web page and hidden inside HTML comments or special tags. For leaders, the practical issue is not only the named malware family, but whether the organization can spot abnormal outbound web access, command execution, DLL abuse, and tool transfer activity on Windows systems before an intrusion becomes harder to contain.

Executive priority

Treat this as a control-validation use case for endpoint visibility, web egress monitoring, and incident response readiness. The supplied ATT&CK context links WEBC2 to APT1 and to Windows Command Shell, Ingress Tool Transfer, and DLL abuse techniques, so security leaders should ask whether SOC teams can reconstruct which Windows hosts contacted unusual web destinations, executed command shells, loaded suspicious DLLs, or received additional tools. This also supports audit and compliance evidence around logging, monitoring, and response capability, rather than vulnerability patch prioritization alone.

Technical view

ATT&CK provides no official detection text for WEBC2, so defenders should validate coverage from the described behavior and related techniques. On Windows, look for unusual processes retrieving web content from predetermined or uncommon external destinations, especially where subsequent activity involves cmd.exe execution, file downloads/tool transfer, or suspicious DLL loading patterns. Detection engineering should correlate network/web telemetry with endpoint process, module load, and file creation events instead of relying on any single indicator or static malware name.

Likely telemetry

Windows endpoint process creation telemetry, especially command shell execution
Endpoint file creation and modification telemetry associated with downloaded tools or staged files
DLL/module load telemetry and application execution context
Web proxy, firewall, or secure web gateway logs showing outbound HTTP/HTTPS requests
DNS resolution logs for external command-and-control infrastructure analysis

Detection direction

Validate whether Windows hosts have sufficient endpoint logging to connect web retrieval activity with later cmd.exe execution, file transfer, or DLL loading.
Tune detections around suspicious web access patterns from non-browser or unexpected processes, while accounting for legitimate software update and management tools that may also retrieve web content.
Use relationship-driven context: WEBC2 is associated with Windows Command Shell, Ingress Tool Transfer, and DLL abuse, so alerts should be enriched with process ancestry, downloaded file details, and module load context.
Do not depend on ATT&CK-provided detection logic for this object; none is supplied. Local baselines and environment-specific allowlists are required.
Where possible, correlate endpoint and network evidence to reduce false positives and identify whether web traffic is followed by execution or tool staging.

Mitigation priorities

Prioritize visibility first: ensure Windows endpoint, DNS, proxy/firewall, and file activity logs are collected and retained long enough for investigation.
Restrict and monitor outbound web access from servers and high-value workstations where business requirements allow.
Harden command shell and script execution governance through least privilege, administrative control, and monitoring.
Review controls that reduce DLL abuse opportunities, including application control, trusted search paths, and monitoring of unusual DLL loads where feasible.
Prepare IR playbooks that can rapidly isolate a Windows host, collect process/network/file/DLL evidence, and determine whether additional tools were transferred.

Analyst notes and limits

The strongest supported context is that WEBC2 is a Windows backdoor family used by APT1 as early as July 2006, with commands hidden in retrieved web content. ATT&CK relationships show use of Windows Command Shell, Ingress Tool Transfer, and DLL-related abuse, which should shape validation and hunting priorities.

Official ATT&CK detection guidance is not provided, tactics are not specified for the malware object, and no active exploitation or current campaign information is supplied. Any conclusions about exposure, prevalence, or detection coverage require local telemetry and threat intelligence validation.

Official MITRE ATT&CK definition

WEBC2

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 3 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1574.001	DLL Sub-technique	Variants of WEBC2 achieve persistence by using DLL search order hijacking, usually by copying the DLL file to `%SYSTEMROOT%` (`C:\WINDOWS\ntshrui.dll`).CitationMandiant APT1 Appendix
Enterprise	T1105	Ingress Tool Transfer	WEBC2 can download and execute a file.CitationMandiant APT1
Enterprise	T1059.003	Windows Command Shell Sub-technique	WEBC2 can open an interactive command shell.CitationMandiant APT1

Associated objects

Groups, software, and campaigns

G0006: APT1

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. [1]

Relationship explorer

All related ATT&CK context

uses · Technique T1574.001: DLL Enterprise uses · Group G0006: APT1 Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: May 31, 2017, 21:33 UTC (UTC+00:00)
Modified: Dec 26, 2023, 19:55 UTC (UTC+00:00)
Raw hash: 5be260dc5a232d68...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.0	Dec 26, 2023, 19:55 UTC (UTC+00:00)	Current bundle	`5be260dc5a23…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Mandiant APT1 Appendix

Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
Open source URL
[2]
Mandiant APT1

Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
Open source URL
[3]
WEBC2

(Citation: Mandiant APT1)
[4]
mitre-attack S0109
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use