S0117: XTunnel
Analyst context for executives and security teams
XTunnel matters because it is described as a VPN-like proxy that can relay traffic between a command-and-control server and a victim Windows environment. For leaders, the practical issue is not the malware name alone; it is whether the organization can see and control unauthorized proxying, fallback communications, encrypted C2 traffic, and command execution that may let an intruder maintain access and move traffic through trusted networks.
Executive priority
Prioritize XTunnel as a resilience and incident-response readiness concern where Windows systems, sensitive networks, or high-value identities are in scope. The ATT&CK relationships point to command-and-control proxying, fallback channels, asymmetric cryptography, Windows command shell execution, discovery, credential search in files, and obfuscation. Executives should ask whether network monitoring, endpoint telemetry, egress controls, credential storage hygiene, and incident containment playbooks can prove coverage for those behaviors, not just whether a signature exists for this malware family.
Technical view
ATT&CK provides no official detection text for XTunnel, so defenders should validate behavior-based coverage around the related techniques: Proxy, Fallback Channels, Asymmetric Cryptography, Windows Command Shell, Network Service Discovery, Credentials in Files, Obfuscated Files or Information, and Junk Code Insertion. SOC teams should test whether Windows endpoint telemetry and network controls can identify unusual proxy-like processes, unexpected outbound destinations, fallback C2 patterns, encrypted traffic inconsistent with normal application behavior, suspicious cmd.exe use, scanning or service enumeration, and access to files likely to contain credentials. Relationship context also notes reported use by APT28, but local detection should be based on observable behaviors and environment baselines rather than attribution assumptions.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe activity
- Network connection metadata from endpoints, proxies, firewalls, DNS, and secure web gateways
- Egress traffic logs showing unusual relay/proxy behavior or alternate communication paths
- TLS or encrypted-session metadata where available, without assuming content visibility
- File access telemetry for configuration files, shared locations, backups, or other files that may contain credentials
Detection direction
- Because MITRE does not provide an official detection section, validate detections against the related ATT&CK techniques rather than relying on a single XTunnel indicator.
- Tune for abnormal outbound proxying from Windows hosts, especially systems that do not normally relay traffic or initiate broad external communications.
- Correlate command shell execution with network activity, service discovery, and credential-file access to reduce false positives from legitimate administration.
- Review blind spots in encrypted C2 visibility: asymmetric cryptography may hide content, so metadata, process ownership, destination reputation, timing, and host context become important.
- Check whether fallback-channel behavior would be noticed if a primary destination were blocked, including repeated attempts to alternate destinations or protocols.
Mitigation priorities
- Enforce least-privilege egress controls so Windows hosts only communicate externally where business-required.
- Strengthen endpoint monitoring and response coverage for command execution, suspicious network processes, file access, and service discovery.
- Reduce credential exposure by finding and removing insecure credentials stored in files, shared locations, backups, or configuration data.
- Segment sensitive networks so a proxy tool on one host cannot freely relay traffic across critical environments.
- Maintain incident response playbooks for suspected command-and-control proxying, including host isolation, network block validation, credential review, and scope assessment.
Analyst notes and limits
XTunnel is a malware/software object in enterprise ATT&CK with Windows listed as the platform. The supplied description says it is a VPN-like network proxy tool first seen in May 2013 and reportedly used by APT28 during the Democratic National Committee compromise. The strongest defensive value comes from the relationship-mapped behaviors: proxying, fallback channels, encrypted C2, command shell execution, discovery, credential-file access, and obfuscation.
The object has no official ATT&CK detection guidance and no object-level tactics are specified. Several related techniques list broader platforms, but the XTunnel object itself is supplied with Windows as its platform; this take does not extend XTunnel platform scope beyond that. Local telemetry, baselines, and confirmed indicators are required to assess actual exposure or detection coverage.
XTunnel
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1552.001 | Credentials In Files Sub-technique | XTunnel is capable of accessing locally stored passwords on victims.CitationInvincea XTunnel |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.CitationESET Sednit Part 2 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | XTunnel has been used to execute remote commands.CitationCrowdstrike DNC June 2016 |
| Enterprise | T1046 | Network Service Discovery | XTunnel is capable of probing the network for open ports.CitationInvincea XTunnel |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | XTunnel uses SSL/TLS and RC4 to encrypt traffic.CitationInvincea XTunnelCitationESET Sednit Part 2 |
| Enterprise | T1090 | Proxy | XTunnel relays traffic between a C2 server and a victim.CitationCrowdstrike DNC June 2016 |
| Enterprise | T1027 | Obfuscated Files or Information | A version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products.CitationESET Sednit Part 2 |
| Enterprise | T1008 | Fallback Channels | The C2 server used by XTunnel provides a port number to the victim to use as a fallback in case the connection closes on the currently used port.CitationESET Sednit Part 2 |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 6afaad167b53… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Crowdstrike DNC June 2016
Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
Open source URL -
[2]
Invincea XTunnel
Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
Open source URL -
[3]
ESET Sednit Part 2
ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
Open source URL -
[4]
Symantec APT28 Oct 2018
Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
Open source URL -
[5]
Trojan.Shunnael
(Citation: Symantec APT28 Oct 2018)
-
[6]
X-Tunnel
(Citation: Crowdstrike DNC June 2016)(Citation: Symantec APT28 Oct 2018)
-
[7]
XAPS
(Citation: ESET Sednit Part 2)
-
[8]
XTunnel
(Citation: ESET Sednit Part 2)
-
[9]
mitre-attack S0117Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.