S0131: TINYTYPHON
TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. [1]
Analyst context for executives and security teams
TINYTYPHON is an ATT&CK software entry for a backdoor associated in reporting with the MONSOON campaign and used by Patchwork. Its practical importance is less about a named malware family alone and more about the behaviors ATT&CK links to it: persistence through Windows Run keys or Startup folders, file and directory discovery, encoded or encrypted files to hinder detection, and automated exfiltration. For leaders, this maps to a clear defensive question: can the organization prove it would notice a backdoor becoming persistent, surveying files, and staging or automating data theft?
Executive priority
Treat this as a validation case for endpoint persistence monitoring, data-loss visibility, and incident response readiness. Because ATT&CK does not provide platforms or detection guidance for the malware object itself, priority should be based on whether the linked techniques overlap with critical business systems, regulated data repositories, diplomatic/government-related exposure, or other sensitive environments. Executives should ask for evidence that SOC and IR teams can correlate suspicious persistence, discovery, obfuscation, and exfiltration behaviors rather than relying on malware-name detection alone.
Technical view
SOC and detection teams should pivot from the sparse malware record to the linked ATT&CK behaviors: T1547.001 Registry Run Keys / Startup Folder, T1083 File and Directory Discovery, T1027.013 Encrypted/Encoded File, and T1020 Automated Exfiltration. Validate whether endpoint telemetry captures Run key and Startup folder changes, process activity that enumerates files and directories, unusual encoded or encrypted artifacts, and repeat or automated outbound data movement. Since the malware object has no official detection text and no specified platforms, detections should be behavior-led and environment-scoped, especially around Windows persistence from T1547.001 and cross-platform exfiltration/discovery concepts from the related techniques.
Likely telemetry
- Endpoint process execution and command-line activity related to file and directory enumeration
- Windows Registry auditing for Run key creation or modification where applicable
- Startup folder file creation or modification events where applicable
- File creation and modification metadata for suspicious encoded or encrypted artifacts
- Network egress logs, proxy logs, firewall logs, or flow records showing repeated or automated outbound transfers
Detection direction
- Do not depend solely on signatures for TINYTYPHON; ATT&CK provides no official detection text for this malware object.
- Build correlation logic around the linked behavior chain: persistence via Run keys or Startup folders, file discovery, encoded or encrypted files, and automated exfiltration.
- Tune Run key and Startup folder detections against known software updaters and administrative tools to reduce false positives while preserving visibility into new or unusual entries.
- Review whether discovery detections cover both interactive user context and automated process-driven enumeration of sensitive directories or shares.
- Validate network monitoring can distinguish routine application traffic from repeated, scripted, or unusual outbound transfer patterns.
Mitigation priorities
- Prioritize basic endpoint hardening and monitoring for persistence locations, especially Windows Run keys and Startup folders where relevant.
- Limit user permissions and administrative rights so persistence mechanisms execute with reduced impact where possible.
- Strengthen egress monitoring and data movement controls for systems handling sensitive documents or regulated information.
- Maintain IR playbooks that preserve host, registry, file, and network evidence when persistence plus discovery plus outbound transfer is observed.
- Use threat intelligence enrichment for TINYTYPHON, MONSOON reporting, and Patchwork context to guide hunts, while keeping final incident conclusions evidence-based.
Analyst notes and limits
The strongest decision value comes from the relationships rather than the malware description itself. ATT&CK identifies TINYTYPHON as a backdoor reportedly drawing much code from MyDoom and used by actors responsible for the MONSOON campaign; the relationship data also links Patchwork as using this object. These references support defensive validation around persistence, discovery, obfuscation, and exfiltration, but they do not support claims of current activity or confirmed local exposure.
The official malware object does not specify platforms, tactics, aliases, labels, or detection guidance. Relationship techniques provide platform and tactic context, but that should not be treated as a complete platform statement for TINYTYPHON itself. Local telemetry, asset criticality, data sensitivity, and observed evidence are required to determine risk and coverage.
TINYTYPHON
TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | TINYTYPHON has used XOR with 0x90 to obfuscate its configuration file.CitationForcepoint Monsoon |
| Enterprise | T1083 | File and Directory Discovery | TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.CitationForcepoint Monsoon |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | TINYTYPHON installs itself under Registry Run key to establish persistence.CitationForcepoint Monsoon |
| Enterprise | T1020 | Automated Exfiltration | When a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server.CitationForcepoint Monsoon |
Groups, software, and campaigns
G0040: Patchwork
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[1] [2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | db37ae70c4e3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Forcepoint Monsoon
Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
Open source URL -
[2]
mitre-attack S0131Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.