S0153: RedLeaves
Analyst context for executives and security teams
RedLeaves is a Windows malware family in ATT&CK associated through relationships with menuPass and overlapping in code with PlugX. Its practical significance is not one single technique, but the combination of post-compromise behaviors ATT&CK links to it: host and network discovery, command execution, persistence through Windows startup mechanisms, credential access from browsers, screen capture, file transfer, cleanup, and web-based command-and-control that may use encryption or non-standard ports.
Executive priority
Treat RedLeaves as a validation case for Windows endpoint resilience and post-compromise visibility. Leadership should ask whether the organization can prove coverage for suspicious autoruns, command-shell activity, browser credential access, file transfer, and abnormal outbound web traffic. Because ATT&CK provides no official detection guidance for this object, confidence should come from local telemetry tests, incident response playbooks, and audit-ready evidence of endpoint, identity, and egress-control monitoring rather than from the malware name alone.
Technical view
SOC and IR teams should validate behavior-based coverage on Windows rather than relying only on family signatures. The relationship set points to discovery via system, user, file, network configuration, and network connection enumeration; execution through Windows Command Shell; persistence through Registry Run Keys, Startup Folder, and Shortcut Modification; DLL abuse; browser credential access; screen capture; ingress tool transfer; file deletion; and command-and-control over web protocols, non-standard ports, and symmetric encryption. Detection engineering should correlate endpoint process, file, registry, module-load, credential-store, and network telemetry into attack chains that distinguish routine administration from unusual post-compromise sequencing.
Likely telemetry
- Windows process creation and command-line logs, especially cmd.exe and discovery utilities
- Registry autorun changes, Startup Folder writes, and shortcut creation or modification events
- File creation, deletion, rename, and staging activity for transferred or encoded/encrypted files
- DLL load events and suspicious DLL placement or execution context
- Browser credential store file access and related endpoint alerts
Detection direction
- Build detections around ATT&CK-related behaviors rather than the RedLeaves name, since official detection text is not provided.
- Correlate discovery commands followed by persistence changes, tool transfer, credential-store access, or outbound web traffic to reduce false positives from legitimate administration.
- Tune autorun, Startup Folder, shortcut, and DLL-abuse detections for known enterprise software installers and management tools.
- Review egress monitoring for web protocols on unexpected ports and encrypted command-and-control patterns, while accounting for legitimate proxies and business applications.
- Confirm Windows endpoint coverage first; related ATT&CK techniques list broader platforms, but this malware object is supplied with Windows as its platform.
Mitigation priorities
- Prioritize reliable Windows endpoint logging and retention for process, registry, file, DLL, and network events.
- Harden and monitor autorun locations, Startup Folders, shortcut execution paths, and DLL loading behavior.
- Limit credential exposure by reducing browser-stored passwords where feasible and monitoring access to browser credential stores.
- Apply least privilege and application control principles to reduce unauthorized command execution, tool transfer, and persistence.
- Enforce egress controls and proxy visibility for outbound web traffic, including review of non-standard protocol and port pairings.
Analyst notes and limits
The ATT&CK object identifies RedLeaves as a malware family used by menuPass, with code overlap with PlugX and possible basis in the open source tool Trochilus. External references include PwC and FireEye reporting from 2017, a BUGJUICE equivalence assessment, and a social media reference. The most useful defensive value is the relationship-driven behavior map, not a static label.
ATT&CK provides no official detection text for RedLeaves, and the object itself has no specified tactics. The malware platform is Windows, while several related techniques have broader platform lists that should not be assumed for this object without local evidence. This take does not assess current exploitation, customer exposure, or detection coverage.
RedLeaves
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence.CitationPWC Cloud Hopper Technical Annex April 2017CitationAccenture Hogfish April 2018 |
| Enterprise | T1574.001 | DLL Sub-technique | RedLeaves is launched through use of DLL search order hijacking to load a malicious dll.CitationFireEye APT10 April 2017 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | RedLeaves can gather browser usernames and passwords.CitationAccenture Hogfish April 2018 |
| Enterprise | T1113 | Screen Capture | RedLeaves can capture screenshots.CitationFireEye APT10 April 2017CitationAccenture Hogfish April 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.CitationPWC Cloud Hopper Technical Annex April 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | RedLeaves can delete specified files.CitationPWC Cloud Hopper Technical Annex April 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.CitationPWC Cloud Hopper Technical Annex April 2017CitationFireEye APT10 April 2017 |
| Enterprise | T1016 | System Network Configuration Discovery | RedLeaves can obtain information about network parameters.CitationPWC Cloud Hopper Technical Annex April 2017 |
| Enterprise | T1082 | System Information Discovery | RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.CitationPWC Cloud Hopper Technical Annex April 2017CitationAccenture Hogfish April 2018 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | RedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.CitationPWC Cloud Hopper Technical Annex April 2017 |
| Enterprise | T1033 | System Owner/User Discovery | RedLeaves can obtain information about the logged on user both locally and for Remote Desktop sessions.CitationPWC Cloud Hopper Technical Annex April 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | RedLeaves can communicate to its C2 over HTTP and HTTPS if directed.CitationFireEye APT10 April 2017CitationAccenture Hogfish April 2018 |
| Enterprise | T1083 | File and Directory Discovery | RedLeaves can enumerate and search for files and directories.CitationPWC Cloud Hopper Technical Annex April 2017CitationFireEye APT10 April 2017 |
| Enterprise | T1571 | Non-Standard Port | RedLeaves can use HTTP over non-standard ports, such as 995, for C2.CitationPWC Cloud Hopper Technical Annex April 2017 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.CitationPWC Cloud Hopper Technical Annex April 2017CitationAccenture Hogfish April 2018 |
| Enterprise | T1049 | System Network Connections Discovery | RedLeaves can enumerate drives and Remote Desktop sessions.CitationPWC Cloud Hopper Technical Annex April 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | RedLeaves is capable of downloading a file from a specified URL.CitationPWC Cloud Hopper Technical Annex April 2017 |
Groups, software, and campaigns
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | e69364a45113… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
PWC Cloud Hopper Technical Annex April 2017
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
Open source URL -
[2]
FireEye APT10 April 2017
FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
Open source URL -
[3]
BUGJUICE
Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named BUGJUICE by FireEye is likely the same as the malware RedLeaves. (Citation: FireEye APT10 April 2017) (Citation: Twitter Nick Carr APT10)
-
[4]
RedLeaves
(Citation: PWC Cloud Hopper Technical Annex April 2017)
-
[5]
Twitter Nick Carr APT10
Carr, N.. (2017, April 6). Retrieved September 12, 2024.
Open source URL -
[6]
mitre-attack S0153Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.