S0142: StreamEx
StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. [1]
Analyst context for executives and security teams
StreamEx matters because it represents a Windows malware family linked in ATT&CK to Deep Panda and to behaviors that help an intruder understand a host, evade simple inspection, execute through trusted Windows components, and establish persistence. For leaders, the value is not in the malware name alone; it is a prompt to verify whether Windows endpoint, process, registry, and service telemetry can show the behaviors ATT&CK associates with this family.
Executive priority
Prioritize StreamEx as a coverage-validation use case for Windows endpoint resilience and incident readiness. ATT&CK does not provide detection guidance for this object, so executives should ask whether the organization can produce evidence for suspicious command shell use, rundll32 execution, registry modification, service creation or modification, and discovery of processes, files, system information, and security tools. This supports SOC readiness, IR scoping, audit evidence, and control investment decisions without assuming current exposure or active exploitation.
Technical view
StreamEx is documented as Windows malware used by Deep Panda since at least 2015 and distributed in 2016 via legitimate compromised Korean websites. ATT&CK relationships associate it with obfuscation, process discovery, Windows command shell, system information discovery, file and directory discovery, registry modification, rundll32, security software discovery, and Windows service persistence. SOC and IR teams should validate behavior-level detections across these linked techniques rather than rely on a malware-family signature alone.
Likely telemetry
- Windows process creation events, including parent-child relationships and command-line arguments
- Execution of cmd.exe and rundll32.exe with unusual arguments, paths, or parent processes
- Windows Registry modification events, especially changes tied to persistence or defense evasion
- Windows service creation, modification, and service binary path changes
- Endpoint file and directory enumeration activity where available
Detection direction
- Use the related ATT&CK techniques as the detection map: T1027, T1057, T1059.003, T1082, T1083, T1112, T1218.011, T1518.001, and T1543.003.
- Tune for suspicious combinations, such as discovery commands followed by registry or service changes, or rundll32 execution from unusual locations or with unusual DLL/function patterns.
- Validate that allowlisting of rundll32.exe or administrative command shells does not suppress important context.
- Account for false positives from administrators, software deployment tools, inventory agents, and legitimate service management activity.
- Because ATT&CK provides no official detection text for StreamEx, detection confidence should come from local telemetry quality, baselining, and correlation across related behaviors.
Mitigation priorities
- Maintain strong Windows endpoint logging and centralized retention for process, registry, and service activity.
- Harden and monitor execution of trusted Windows utilities such as cmd.exe and rundll32.exe according to business need.
- Restrict unnecessary administrative privileges that enable registry and service modification.
- Review service creation and modification controls, including change-management evidence for production systems.
- Use behavior-based endpoint controls and file analysis to reduce dependence on static malware signatures, especially where obfuscation is expected.
Analyst notes and limits
The strongest defensive value is to treat StreamEx as a Windows behavior coverage test tied to Deep Panda reporting and the listed ATT&CK technique relationships. The object has no ATT&CK tactic list and no official detection section, so local validation should focus on whether the environment can observe and investigate the related Windows execution, discovery, evasion, and persistence behaviors.
This take uses only the supplied ATT&CK fields, external reference to Cylance Shell Crew Feb 2017, and relationships. It does not establish active exploitation, current campaign activity, guaranteed detection, or customer exposure. Several related technique descriptions list broader platforms, but StreamEx itself is supplied as Windows malware, so platform conclusions should remain Windows-scoped.
StreamEx
StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | StreamEx has the ability to enumerate processes.CitationCylance Shell Crew Feb 2017 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | StreamEx uses rundll32 to call an exported function.CitationCylance Shell Crew Feb 2017 |
| Enterprise | T1543.003 | Windows Service Sub-technique | StreamEx establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start.CitationCylance Shell Crew Feb 2017 |
| Enterprise | T1112 | Modify Registry | StreamEx has the ability to modify the Registry.CitationCylance Shell Crew Feb 2017 |
| Enterprise | T1082 | System Information Discovery | StreamEx has the ability to enumerate system information.CitationCylance Shell Crew Feb 2017 |
| Enterprise | T1083 | File and Directory Discovery | StreamEx has the ability to enumerate drive types.CitationCylance Shell Crew Feb 2017 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | StreamEx has the ability to scan for security tools such as firewalls and antivirus tools.CitationCylance Shell Crew Feb 2017 |
| Enterprise | T1027 | Obfuscated Files or Information | StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.CitationCylance Shell Crew Feb 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | StreamEx has the ability to remotely execute commands.CitationCylance Shell Crew Feb 2017 |
Groups, software, and campaigns
G0009: Deep Panda
Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [1] The intrusion into healthcare company Anthem has been attributed to Deep Panda. [2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [3] Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [4] Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. [5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 83ac028da25f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cylance Shell Crew Feb 2017
Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
Open source URL -
[2]
StreamEx
(Citation: Cylance Shell Crew Feb 2017)
-
[3]
mitre-attack S0142Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.