S0144: ChChes
Analyst context for executives and security teams
ChChes matters because ATT&CK describes it as a Windows Trojan associated with menuPass and likely used as an early-stage tool. For leaders, the key risk is not only the malware name but the behaviors around it: discovery, web-based command and control, tool transfer, credential access from browsers, possible masquerading, code signing abuse, encryption/encoding of C2, and security-tool interference. These are the kinds of behaviors that determine whether a compromise is contained early or develops into a larger incident.
Executive priority
Prioritize validation of endpoint and network visibility for Windows systems, especially where sensitive business operations, regulated data, or high-value users are involved. Because MITRE does not provide official detection text for ChChes, executives should ask whether the organization can prove coverage for the related ATT&CK behaviors rather than relying on malware signatures alone. This is relevant to SOC readiness, incident response triage, identity risk from browser-stored credentials, and audit evidence showing that discovery, C2, persistence, and defense-impairment behaviors are monitored.
Technical view
Treat ChChes as a behavior-driven detection problem. ATT&CK relationships link it to masquerading as legitimate resources, process/system/file discovery, web-protocol C2, ingress tool transfer, standard encoding, symmetric cryptography, Registry Run Keys/Startup Folder, code signing, browser credential access, and disabling or modifying tools. SOC and IR teams should validate Windows endpoint telemetry and network telemetry around these behaviors, especially HTTP/S-like outbound communications and suspicious cookie-header or encoded/encrypted C2 patterns referenced by the supplied reporting. Also reconcile the official description noting a lack of persistence methods with the ATT&CK relationship to T1547.001; local detections should cover both first-stage execution and any observed Run Key or Startup Folder activity.
Likely telemetry
- Windows process creation and command-line telemetry
- Parent/child process relationships for discovery utilities and unusual binaries
- File creation, rename, and directory enumeration events
- Windows Registry monitoring for Run Keys and Startup Folder persistence paths
- Endpoint security, EDR, antivirus, and logging-agent health events
Detection direction
- Do not depend on a ChChes malware name match; validate detections for the ATT&CK techniques linked to the object.
- Tune for unusual process, system, and file discovery activity from non-standard executables or unexpected user contexts.
- Review outbound web traffic for anomalous destinations, unusual cookie-header content, encoded payloads, or repeated beacon-like behavior, while accounting for normal web application noise.
- Correlate ingress tool transfer with newly created executables, code-signing metadata, and subsequent discovery or C2 activity.
- Monitor Run Key and Startup Folder changes, but avoid assuming persistence is always present because the official description says ChChes may have lacked persistence and may have been intended as a first-stage tool.
Mitigation priorities
- Ensure Windows endpoint telemetry, network egress logging, and security-tool health monitoring are enabled before relying on detections.
- Harden egress controls and proxy visibility for web-protocol C2 patterns, including inspection of relevant HTTP metadata where policy and privacy requirements allow.
- Reduce credential exposure by managing browser-saved credentials and strengthening identity controls around high-value users.
- Restrict unauthorized persistence through monitoring and control of Run Keys, Startup Folders, and executable locations commonly abused for masquerading.
- Require disciplined software trust controls, including review of code-signing status without treating a valid signature as automatically safe.
Analyst notes and limits
The strongest decision value comes from the relationship context rather than from the short malware description. ChChes is described by MITRE as a Windows Trojan apparently used exclusively by menuPass, targeting Japanese organizations in 2016, with reporting suggesting it may have been a first-stage tool. External references also note HAYMAKER is likely the same malware based on reported similarities. Use these points for threat context, but base operational detection on the listed ATT&CK behaviors.
MITRE does not provide official detection guidance for this object, the malware object has no explicit tactics listed, and the supplied relationship descriptions are partially truncated. The supplied fields do not support claims of current activity, local exposure, guaranteed detection, or confirmed attribution in any specific environment. Local telemetry, asset criticality, and incident evidence are required to determine relevance and priority.
ChChes
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.CitationPalo Alto menuPass Feb 2017CitationJPCERT ChChes Feb 2017 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | ChChes establishes persistence by adding a Registry Run key.CitationPWC Cloud Hopper Technical Annex April 2017 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | ChChes can encode C2 data with a custom technique that utilizes Base64.CitationPalo Alto menuPass Feb 2017CitationJPCERT ChChes Feb 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | ChChes is capable of downloading files, including additional modules.CitationPalo Alto menuPass Feb 2017CitationJPCERT ChChes Feb 2017CitationFireEye APT10 April 2017 |
| Enterprise | T1685 | Disable or Modify Tools | ChChes can alter the victim's proxy configuration.CitationPWC Cloud Hopper Technical Annex April 2017 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | ChChes steals credentials stored inside Internet Explorer.CitationPWC Cloud Hopper Technical Annex April 2017 |
| Enterprise | T1082 | System Information Discovery | ChChes collects the victim hostname, window resolution, and Microsoft Windows version.CitationPalo Alto menuPass Feb 2017CitationPWC Cloud Hopper Technical Annex April 2017 |
| Enterprise | T1083 | File and Directory Discovery | ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.CitationFireEye APT10 April 2017 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | ChChes can encrypt C2 traffic with AES or RC4.CitationPalo Alto menuPass Feb 2017CitationJPCERT ChChes Feb 2017 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).CitationPWC Cloud Hopper Technical Annex April 2017 |
| Enterprise | T1057 | Process Discovery | ChChes collects its process identifier (PID) on the victim.CitationPalo Alto menuPass Feb 2017 |
| Enterprise | T1553.002 | Code Signing Sub-technique | ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.CitationPalo Alto menuPass Feb 2017CitationJPCERT ChChes Feb 2017CitationPWC Cloud Hopper Technical Annex April 2017 |
Groups, software, and campaigns
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | d6278cd927aa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto menuPass Feb 2017
Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
Open source URL -
[2]
JPCERT ChChes Feb 2017
Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved November 17, 2024.
Open source URL -
[3]
PWC Cloud Hopper Technical Annex April 2017
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
Open source URL -
[4]
ChChes
(Citation: Palo Alto menuPass Feb 2017) (Citation: JPCERT ChChes Feb 2017) (Citation: PWC Cloud Hopper Technical Annex April 2017)
-
[5]
FireEye APT10 April 2017
FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
Open source URL -
[6]
HAYMAKER
Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes. (Citation: FireEye APT10 April 2017) (Citation: Twitter Nick Carr APT10)
-
[7]
Scorpion
(Citation: PWC Cloud Hopper Technical Annex April 2017)
-
[8]
Twitter Nick Carr APT10
Carr, N.. (2017, April 6). Retrieved September 12, 2024.
Open source URL -
[9]
mitre-attack S0144Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.