S0192: Pupy
Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. [1] It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). [1] Pupy is publicly available on GitHub. [1]
Analyst context for executives and security teams
Pupy matters because it is a publicly available, open source, cross-platform remote administration and post-exploitation tool that can be packaged in multiple payload forms, including Windows executables, Python files, PowerShell, Linux ELF, APK, and Rubber Ducky formats. For leaders, the risk is not the tool name alone; it is the breadth of behaviors ATT&CK associates with it: credential access, discovery, command and control, collection, exfiltration, lateral movement, and execution across Windows, Linux, macOS, and Android environments.
Executive priority
Treat Pupy as a coverage-validation object for post-compromise readiness. Because ATT&CK provides no official detection guidance for this software, executives should ask whether security teams can prove visibility across the behaviors linked to it: credential dumping from LSASS/LSA/cached credentials, PowerShell and Python execution, web-based command and control, tool transfer, RDP-based lateral movement, local data collection, screenshots, audio capture, and exfiltration over C2. Priority should be highest where business-critical users, service accounts, remote access paths, or sensitive local data exist on supported platforms.
Technical view
SOC, detection engineering, and IR teams should validate behavior-based detections rather than relying only on tool identifiers. ATT&CK links Pupy to Windows credential-access techniques including LSASS Memory, LSA Secrets, and Cached Domain Credentials; execution through PowerShell and Python; discovery of users, processes, files, system information, network configuration, services, and connections; C2 over web protocols; ingress tool transfer; RDP lateral movement; collection from screens, audio, keystrokes, and local email; and exfiltration over the C2 channel. Since official detection text is not provided, local testing and telemetry review are required to determine whether these behaviors are observable in each supported operating environment.
Likely telemetry
- Endpoint process creation and command-line telemetry for PowerShell, Python, discovery utilities, and unusual child-process relationships
- Windows security and endpoint telemetry related to LSASS access, LSA secrets access, cached credential access, and suspicious registry or memory access patterns
- Network telemetry for outbound web-protocol command-and-control patterns and data transfer over established C2-like channels
- Remote access logs for RDP sessions, especially valid-account use from unusual sources or at unusual times
- File system telemetry for payload staging, tool transfer, local email data access, file enumeration, and suspicious archive or collection activity
Detection direction
- Prioritize behavior detections mapped to the linked techniques because ATT&CK does not provide official detection guidance for Pupy itself.
- Tune PowerShell and Python analytics to separate administrative automation from suspicious execution chains, downloaded payloads, or post-compromise discovery sequences.
- Correlate discovery activity with subsequent credential access, tool transfer, collection, RDP use, or outbound web traffic rather than alerting on common administrative commands in isolation.
- Validate visibility into LSASS, LSA Secrets, and cached credential access on Windows systems; these are high-value blind spots for identity compromise investigations.
- Review web-protocol egress monitoring for command-and-control and exfiltration patterns, while accounting for the high false-positive potential of normal HTTP/S traffic.
Mitigation priorities
- Start with identity and credential protection: reduce exposure of privileged accounts, monitor credential material access, and limit where high-value credentials can be used.
- Harden and monitor remote access paths such as RDP, including account use, source validation, and session auditing.
- Restrict and monitor scripting execution where appropriate, especially PowerShell and Python on systems where they are not operationally required.
- Improve endpoint visibility across Windows, Linux, macOS, and Android assets that are in scope, since the tool is described as cross-platform.
- Control outbound network paths and inspect web-protocol egress where feasible to support C2 and exfiltration detection.
Analyst notes and limits
Pupy is described by ATT&CK as an open source remote administration and post-exploitation tool publicly available on GitHub and generated in several payload formats. The relationship set is broad and makes this object useful for validating post-compromise detection coverage. ATT&CK also records use by Magic Hound and APT33; that relationship supports threat-context enrichment but does not justify local attribution without independent incident evidence.
The supplied ATT&CK object has no official detection text and no object-level tactics specified. This take is therefore derived from the official description, supported platforms, external references, and provided relationships to groups and techniques. Local asset inventory, logging configuration, endpoint controls, and network architecture are required to determine actual exposure or detection coverage.
Pupy
Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. [1] It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). [1] Pupy is publicly available on GitHub. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1569.002 | Service Execution Sub-technique | |
| Enterprise | T1046 | Network Service Discovery | Pupy has a built-in module for port scanning.CitationGitHub Pupy |
| Enterprise | T1113 | Screen Capture | Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server.CitationGitHub Pupy |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | Pupy can use Lazagne for harvesting credentials.CitationGitHub Pupy |
| Enterprise | T1105 | Ingress Tool Transfer | Pupy can upload and download to/from a victim machine.CitationGitHub Pupy |
| Enterprise | T1135 | Network Share Discovery | Pupy can list local and remote shared drives and folders over SMB.CitationGitHub Pupy |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Pupy's default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES.CitationGitHub Pupy |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Pupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.CitationGitHub Pupy |
| Enterprise | T1059.001 | PowerShell Sub-technique | Pupy has a module for loading and executing PowerShell scripts.CitationGitHub Pupy |
| Enterprise | T1033 | System Owner/User Discovery | Pupy can enumerate local information for Linux hosts and find currently logged on users for Windows hosts.CitationGitHub Pupy |
| Enterprise | T1136.002 | Domain Account Sub-technique | Pupy can user PowerView to execute “net user” commands and create domain accounts.CitationGitHub Pupy |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Pupy can send screenshots files, keylogger data, files, and recorded audio back to the C2 server.CitationGitHub Pupy |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Pupy can use Lazagne for harvesting credentials.CitationGitHub Pupy |
| Enterprise | T1123 | Audio Capture | Pupy can record sound with the microphone.CitationGitHub Pupy |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Pupy can migrate into another process using reflective DLL injection.CitationGitHub Pupy |
| Enterprise | T1016 | System Network Configuration Discovery | Pupy has built in commands to identify a host’s IP address and find out other network configuration settings by viewing connected sessions.CitationGitHub Pupy |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | Pupy can interact with a victim’s Outlook session and look through folders and emails.CitationGitHub Pupy |
| Enterprise | T1543.002 | Systemd Service Sub-technique | Pupy can be used to establish persistence using a systemd service.CitationGitHub Pupy |
| Enterprise | T1136.001 | Local Account Sub-technique | Pupy can user PowerView to execute “net user” commands and create local system accounts.CitationGitHub Pupy |
| Enterprise | T1547.013 | XDG Autostart Entries Sub-technique | Pupy can use an XDG Autostart to establish persistence.CitationRed Canary Netwire Linux 2022 |
| Enterprise | T1083 | File and Directory Discovery | Pupy can walk through directories and recursively search for strings in files.CitationGitHub Pupy |
| Enterprise | T1082 | System Information Discovery | Pupy can grab a system’s information including the OS version, architecture, etc.CitationGitHub Pupy |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1056.001 | Keylogging Sub-technique | Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.CitationGitHub Pupy |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Pupy can communicate over HTTP for C2.CitationGitHub Pupy |
| Enterprise | T1497.001 | System Checks Sub-technique | Pupy has a module that checks a number of indicators on the system to determine if its running on a virtual machine.CitationGitHub Pupy |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Pupy can enable/disable RDP connection and can start a remote desktop session using a browser web socket client.CitationGitHub Pupy |
| Enterprise | T1550.003 | Pass the Ticket Sub-technique | Pupy can also perform pass-the-ticket.CitationGitHub Pupy |
| Enterprise | T1557.001 | Name Resolution Poisoning and SMB Relay Sub-technique | Pupy can sniff plaintext network credentials and use NBNS Spoofing to poison name services.CitationGitHub Pupy |
| Enterprise | T1087.001 | Local Account Sub-technique | Pupy uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.CitationGitHub Pupy |
| Enterprise | T1059.006 | Python Sub-technique | Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (“scriptlets”) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.CitationGitHub Pupy |
| Enterprise | T1125 | Video Capture | Pupy can access a connected webcam and capture pictures.CitationGitHub Pupy |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | Pupy has a module to clear event logs with PowerShell.CitationGitHub Pupy |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.CitationGitHub Pupy |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Pupy can compress data with Zip before sending it over C2.CitationGitHub Pupy |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Pupy adds itself to the startup folder or adds itself to the Registry key |
| Enterprise | T1003.005 | Cached Domain Credentials Sub-technique | Pupy can use Lazagne for harvesting credentials.CitationGitHub Pupy |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | Pupy can use Lazagne for harvesting credentials.CitationGitHub Pupy |
| Enterprise | T1049 | System Network Connections Discovery | Pupy has a built-in utility command for |
| Enterprise | T1555 | Credentials from Password Stores | Pupy can use Lazagne for harvesting credentials.CitationGitHub Pupy |
| Enterprise | T1057 | Process Discovery | Pupy can list the running processes and get the process ID and parent process’s ID.CitationGitHub Pupy |
Groups, software, and campaigns
G0059: Magic Hound
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]
G0064: APT33
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 58af2c94658c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
GitHub Pupy
Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
Open source URL -
[2]
mitre-attack S0192Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.