S0134: Downdelph
Analyst context for executives and security teams
Downdelph is a Windows first-stage downloader documented by ATT&CK as rarely used by APT28 between 2013 and 2015. Its business relevance is less about current prevalence and more about readiness for early-stage intrusion behavior: an initial downloader can be the point where a security team either contains an incident quickly or allows follow-on tooling, privilege elevation, and command-and-control activity to develop.
Executive priority
Treat this as a validation case for Windows endpoint visibility, command-and-control monitoring, and incident response decision-making. Because ATT&CK provides no detection guidance and describes limited historical use, leaders should not over-prioritize Downdelph as a standalone malware family; instead, use it to test whether controls would catch downloader behavior, suspicious file transfer, encrypted or obfuscated C2, DLL abuse, and UAC bypass attempts that can affect business continuity and audit confidence.
Technical view
SOC and IR teams should validate coverage around the behaviors linked to Downdelph: Junk Data in C2 traffic, Ingress Tool Transfer, Bypass User Account Control, Symmetric Cryptography for C2, and DLL abuse. Since the object platform is Windows and no official detection text is provided, detection engineering should focus on behavior-based analytics rather than malware-name matching alone. Confirm whether endpoint, network, and Windows security telemetry can connect an initial suspicious process to downloaded payloads, privilege changes, DLL load anomalies, and unusual outbound communications.
Likely telemetry
- Windows endpoint process creation and parent-child process lineage
- File creation, modification, and download evidence on Windows hosts
- DLL load events and module path anomalies
- Windows UAC elevation and integrity-level related events where available
- Network connection metadata for outbound command-and-control patterns
Detection direction
- Do not rely only on signatures for Downdelph; ATT&CK does not provide detection guidance and the malware is described as rare and historical.
- Tune for downloader behavior: newly created executables or DLLs followed by outbound connections and additional file retrieval.
- Review detections for C2 traffic that may include junk data or symmetric encryption, using metadata and anomaly context rather than assuming readable payloads.
- Validate Windows detections for UAC bypass attempts and DLL abuse, especially where unusual processes load DLLs from unexpected locations.
- Correlate endpoint and network telemetry so file transfer, execution, privilege activity, and outbound traffic can be reviewed as one incident story.
Mitigation priorities
- Prioritize Windows endpoint hardening and monitoring sufficient to observe downloader execution, file writes, DLL loading, and privilege-related activity.
- Limit unnecessary local administrator rights and review UAC-related control posture to reduce the value of bypass attempts.
- Control and monitor external file transfer paths, including proxy, firewall, and DNS visibility for suspicious downloads.
- Maintain incident response playbooks for first-stage downloader findings, including host isolation, scoping of downloaded files, and review of outbound communications.
- Use threat intelligence conservatively: the APT28 relationship is relevant for context and prioritization, but local evidence should drive incident severity and response actions.
Analyst notes and limits
ATT&CK identifies Downdelph as a Delphi-based first-stage downloader used by APT28 in rare instances between 2013 and 2015. The most useful defender takeaway is the behavior cluster around initial download, command-and-control concealment, tool transfer, privilege escalation, and DLL abuse, not a claim that this specific malware is currently present.
The supplied ATT&CK object has no official detection text, no aliases, no labels, and no object-level tactics listed. Assessment of exposure, detection coverage, or current relevance requires local telemetry, control configuration, and threat intelligence beyond the supplied fields.
Downdelph
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1001.001 | Junk Data Sub-technique | Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.CitationESET Sednit Part 3 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Downdelph bypasses UAC to escalate privileges by using a custom “RedirectEXE” shim database.CitationESET Sednit Part 3 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Downdelph uses RC4 to encrypt C2 responses.CitationESET Sednit Part 3 |
| Enterprise | T1105 | Ingress Tool Transfer | After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.CitationESET Sednit Part 3 |
| Enterprise | T1574.001 | DLL Sub-technique | Downdelph uses search order hijacking of the Windows executable sysprep.exe to escalate privileges.CitationESET Sednit Part 3 |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 764a0d9692f3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Sednit Part 3
ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
Open source URL -
[2]
mitre-attack S0134Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.