Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0199: TURNEDUP

TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [1] [2]

EnterpriseS0199MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

TURNEDUP matters because it is described by ATT&CK as a non-public Windows backdoor associated through reporting with APT33 activity and dropped by StoneDrill malware. For leaders, the practical issue is not broad commodity malware coverage; it is whether Windows endpoint, persistence, process-injection, command execution, tool-transfer, discovery, and screen-capture visibility would let the organization recognize and contain a post-compromise backdoor in a higher-consequence environment such as aviation or energy, where APT33 has been reported to show interest.

Executive priority

Prioritize validation of Windows endpoint monitoring and incident response readiness for backdoor behaviors rather than relying on a named-malware signature. The ATT&CK record provides no official detection guidance, so assurance should come from evidence that SOC teams can see and investigate the related behaviors: APC-based process injection, cmd.exe execution, system information discovery, inbound tool transfer, screen capture, and Run key or Startup Folder persistence. This is especially relevant for organizations using ATT&CK to support audit evidence, resilience planning, and threat-informed control prioritization in sectors where APT33 reporting is relevant.

Technical view

Treat TURNEDUP as a behavior-led detection and response use case for Windows. Validate telemetry and analytics around T1055.004 Asynchronous Procedure Call injection, T1059.003 Windows Command Shell execution, T1082 System Information Discovery, T1105 Ingress Tool Transfer, T1113 Screen Capture, and T1547.001 Registry Run Keys / Startup Folder. Because ATT&CK does not provide official detection text for this malware, SOC and IR teams should map local detections to those related techniques, confirm they can pivot from persistence or process-injection signals to command execution, file transfer, discovery, and collection activity, and avoid assuming that malware-name detections alone provide coverage.

Likely telemetry

  • Windows endpoint process creation and parent-child process relationships, especially cmd.exe activity
  • Endpoint telemetry for process injection or suspicious cross-process memory/thread activity relevant to APC injection
  • Windows Registry monitoring for Run key changes and Startup Folder file creation
  • File creation, download, and transfer evidence for tools or payloads entering hosts
  • Host and network logs showing command-and-control-adjacent file transfer patterns, where available

Detection direction

  • Build detection coverage around the related ATT&CK techniques rather than the TURNEDUP name, since the official object provides no detection section.
  • Tune Windows Command Shell detections for unusual execution context, uncommon parent processes, service or persistence-launched shells, and activity chained with discovery or transfer behavior.
  • Validate detection of Run key and Startup Folder persistence, with allowlisting for legitimate software updaters and administrative tooling to reduce false positives.
  • Confirm endpoint controls can surface APC-style injection or comparable process-injection telemetry; this is a common blind spot if relying only on basic process logs.
  • Correlate possible tool transfer with subsequent command execution, discovery, or screen capture, because individual file downloads may be benign without behavioral context.

Mitigation priorities

  • Harden and monitor Windows persistence locations, especially Registry Run keys and Startup Folders.
  • Limit unnecessary command-shell access through least privilege, application control, and administrative policy where operationally feasible.
  • Ensure endpoint protection and EDR capabilities are configured to capture process-injection, process execution, file creation, and registry modification events.
  • Restrict and monitor unauthorized tool ingress through network controls, egress governance, and host-based file execution policy.
  • Prepare IR playbooks for backdoor investigations that include host isolation, persistence review, process tree analysis, credential exposure assessment, and scoping across similarly configured Windows systems.
Analyst notes and limits

The ATT&CK record identifies TURNEDUP as a non-public backdoor dropped by StoneDrill and links it to APT33 reporting. The relationship set supplies the most useful defensive context: process injection via APC, Windows command shell execution, system information discovery, ingress tool transfer, screen capture, and Run key or Startup Folder persistence. Glexia would treat this as a control-validation scenario for Windows backdoor tradecraft and SOC correlation, not as a standalone indicator package.

The supplied ATT&CK object has no official detection guidance, no aliases, no explicit tactics on the malware object, and only Windows listed as the malware platform. The related techniques include broader platform metadata, but platform conclusions for TURNEDUP should remain Windows-focused. Local telemetry, asset criticality, business sector, and incident evidence are required before making any claim about exposure, exploitation, attribution, or detection coverage.

Official MITRE ATT&CK definition

TURNEDUP

TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [1] [2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Enterprise T1055.004 Asynchronous Procedure Call Sub-technique

TURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an "Early Bird injection."CitationCyberBit Early Bird Apr 2018
Enterprise T1113 Screen Capture

TURNEDUP is capable of taking screenshots.CitationFireEye APT33 Sept 2017
Enterprise T1105 Ingress Tool Transfer

TURNEDUP is capable of downloading additional files.CitationFireEye APT33 Sept 2017
Enterprise T1059.003 Windows Command Shell Sub-technique

TURNEDUP is capable of creating a reverse shell.CitationFireEye APT33 Sept 2017
Enterprise T1082 System Information Discovery

TURNEDUP is capable of gathering system information.CitationFireEye APT33 Sept 2017
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

TURNEDUP is capable of writing to a Registry Run key to establish.CitationCyberBit Early Bird Apr 2018
Associated objects

Groups, software, and campaigns

Group Enterprise

G0064: APT33

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.[1][2]

Relationship explorer

All related ATT&CK context

uses · Technique T1055.004: Asynchronous Procedure Call Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Group G0064: APT33 Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
e30b2102f8d79f2d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle e30b2102f8d7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye APT33 Sept 2017

    O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.

    Open source URL
  2. [2]
    FireEye APT33 Webinar Sept 2017

    Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.

    Open source URL
  3. [3]
    TURNEDUP

    (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)

  4. [4]
    mitre-attack S0199
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use