S0186: DownPaper
Analyst context for executives and security teams
DownPaper is a Windows backdoor Trojan whose stated purpose is to download and run second-stage malware. For leaders, the material risk is not the first program alone; it is that an initial foothold can become a staging point for additional tooling, persistence, discovery, and command-and-control activity before the business impact is clear.
Executive priority
Prioritize DownPaper-like behavior as an incident-readiness and control-validation issue: can the organization detect a Windows host that is using command interpreters, querying local system/user/registry data, establishing web-based communications, and creating startup persistence? This matters for containment speed, evidence quality, and auditability of endpoint, network, and identity controls. The supplied ATT&CK relationship to Magic Hound provides threat-intelligence context, but it should not be treated as proof of current targeting in any environment without local evidence.
Technical view
MITRE does not provide object-level detection text for DownPaper, so defenders should validate coverage through the related behaviors: PowerShell execution, Windows command shell execution, registry queries, system owner/user discovery, system information discovery, web-protocol command-and-control, and Registry Run Key/Startup Folder persistence. On Windows endpoints, review whether EDR, Windows event logging, PowerShell logging, registry auditing, process command-line capture, and web proxy/DNS/network telemetry are retained and correlated around the same host and user session.
Likely telemetry
- Windows process creation events, including parent/child process relationships and command-line arguments
- PowerShell execution telemetry, including script block/module logging where enabled
- Windows command shell invocation telemetry
- Registry query and registry modification events, especially Run Keys and Startup Folder-related persistence locations
- User and host discovery evidence, including commands or API activity that identify logged-on users, system details, OS version, architecture, patches, or installed software
Detection direction
- Because official detection guidance is not supplied, build detection around the ATT&CK relationships rather than a single malware name.
- Correlate suspicious command interpreter activity with discovery commands, registry access, persistence changes, and outbound web traffic from the same Windows endpoint.
- Tune PowerShell and cmd detections to reduce noise from legitimate administration by considering parent process, user context, host role, command content, frequency, and whether the activity is expected for that system.
- Validate that Run Key and Startup Folder monitoring captures both creation and modification events and retains enough context to identify the responsible process and user.
- Treat web-protocol traffic as weak evidence by itself; prioritize unusual destinations, new host-to-domain relationships, rare user agents, suspicious timing, or traffic that follows endpoint discovery/persistence activity.
Mitigation priorities
- Ensure Windows endpoint protection and logging are configured to capture process, PowerShell, registry, and network context needed for investigation.
- Harden and monitor PowerShell and Windows command shell use according to administrative need, with special attention to non-admin users and unusual parent processes.
- Restrict or alert on unauthorized persistence through Registry Run Keys and Startup Folders.
- Apply least-privilege access and administrative separation so execution under a user context limits follow-on activity where possible.
- Maintain egress monitoring and web traffic logging sufficient to investigate suspected command-and-control over common web protocols.
Analyst notes and limits
The useful defensive angle is behavioral: DownPaper is described as a downloader/launcher for second-stage malware, and its ATT&CK relationships point to discovery, execution, web-based command-and-control, and Windows persistence. Coverage should be assessed as an end-to-end chain rather than a signature-only question.
The supplied ATT&CK object has no official detection field, no explicit tactics on the malware object, no aliases, and only one cited external report. Any conclusions about current exploitation, victim exposure, campaign activity, or guaranteed detection require local telemetry and additional intelligence not provided here.
DownPaper
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.CitationClearSky Charming Kitten Dec 2017 |
| Enterprise | T1012 | Query Registry | DownPaper searches and reads the value of the Windows Update Registry Run key.CitationClearSky Charming Kitten Dec 2017 |
| Enterprise | T1033 | System Owner/User Discovery | DownPaper collects the victim username and sends it to the C2 server.CitationClearSky Charming Kitten Dec 2017 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | DownPaper uses PowerShell to add a Registry Run key in order to establish persistence.CitationClearSky Charming Kitten Dec 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | DownPaper communicates to its C2 server over HTTP.CitationClearSky Charming Kitten Dec 2017 |
| Enterprise | T1059.001 | PowerShell Sub-technique | DownPaper uses PowerShell for execution.CitationClearSky Charming Kitten Dec 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | DownPaper uses the command line.CitationClearSky Charming Kitten Dec 2017 |
Groups, software, and campaigns
G0059: Magic Hound
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 37f9d683d074… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ClearSky Charming Kitten Dec 2017
ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
Open source URL -
[2]
DownPaper
(Citation: ClearSky Charming Kitten Dec 2017)
-
[3]
mitre-attack S0186Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.