S0200: Dipsind
Analyst context for executives and security teams
Dipsind is a Windows backdoor family that MITRE reports as used by PLATINUM. Its value to defenders is not just the malware name, but the behavior cluster: Windows command execution, Winlogon-based persistence, web-protocol command and control, encoded/encrypted C2 content, tool transfer, and scheduled exfiltration. For leaders, this points to the need to validate whether endpoint, identity-adjacent Windows persistence, and outbound network monitoring can reconstruct a backdoor intrusion rather than only detect known malware files.
Executive priority
Treat Dipsind as a coverage-validation case for targeted Windows intrusions, especially where government or related-sector risk in South and Southeast Asia is relevant to the organization. The priority is to confirm that SOC and IR teams can prove or disprove persistence, command execution, external file transfer, and timed data movement using retained evidence. This supports incident decision-making, audit defensibility, and control prioritization around Windows endpoint visibility and egress monitoring.
Technical view
MITRE provides no official detection text for Dipsind, so teams should validate coverage through the related ATT&CK techniques: T1059.003 Windows Command Shell, T1547.004 Winlogon Helper DLL, T1071.001 Web Protocols, T1105 Ingress Tool Transfer, T1132.001 Standard Encoding, T1573.001 Symmetric Cryptography, and T1029 Scheduled Transfer. On Windows systems, prioritize visibility into cmd.exe process activity, parent/child process context, Winlogon registry locations, file creation or transfer events, and outbound web traffic patterns. Network analysis should account for encoded or encrypted C2 content where payload inspection may be limited.
Likely telemetry
- Windows endpoint process creation telemetry, especially cmd.exe execution with parent/child process context
- Windows registry monitoring for Winlogon helper DLL or related Winlogon persistence locations
- Endpoint file creation and modification events associated with transferred tools or payloads
- Proxy, web gateway, firewall, or network flow logs showing outbound HTTP/S or web-protocol communications
- Timing and volume metadata for recurring or scheduled outbound transfers
Detection direction
- Do not rely on a Dipsind malware signature alone; validate behavior-based detections mapped to the related techniques.
- Tune Windows command-shell detections with context such as unusual parent processes, remote execution context, scripted activity, or follow-on network/file events to reduce routine administrative false positives.
- Monitor Winlogon persistence locations for unauthorized DLL or executable configuration changes; establish known-good baselines because legitimate software may also modify logon-related settings.
- Correlate outbound web traffic with endpoint process lineage where possible, since web-protocol C2 may blend into normal traffic.
- Look for recurring outbound transfer timing or volume anomalies that could indicate scheduled exfiltration, while accounting for legitimate backups, updates, and business data transfers.
Mitigation priorities
- Prioritize Windows endpoint hardening and monitoring around command execution and persistence-sensitive registry paths.
- Restrict and review administrative ability to modify Winlogon-related configuration where operationally feasible.
- Maintain egress controls and logging for outbound web traffic so command-and-control and transfer behaviors can be investigated.
- Ensure incident response playbooks collect endpoint process history, registry state, transferred files, and network flow/proxy evidence before containment actions remove volatile context.
- Use threat intelligence from the referenced PLATINUM reporting as context, but validate relevance against the organization’s geography, sector, and observed telemetry.
Analyst notes and limits
The object is a malware entry, not a technique, and MITRE lists no tactics directly on the malware. Defensive interpretation is therefore driven by the stated Windows platform and the supplied relationships to ATT&CK techniques. The PLATINUM relationship is included because MITRE states Dipsind appears to be used exclusively by PLATINUM; this should be treated as contextual intelligence, not proof of attribution in any local incident.
MITRE provides no official detection guidance for this object. The supplied data does not include indicators, hashes, infrastructure, procedures, or active exploitation claims. Local environment baselines and telemetry retention determine whether the recommended validation is practical.
Dipsind
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | Dipsind can download remote files.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Dipsind encrypts C2 data with AES256 in ECB mode.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1547.004 | Winlogon Helper DLL Sub-technique | A Dipsind variant registers as a Winlogon Event Notify DLL to establish persistence.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1029 | Scheduled Transfer | Dipsind can be configured to only run during normal working hours, which would make its communications harder to distinguish from normal traffic.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Dipsind can spawn remote shells.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Dipsind encodes C2 traffic with base64.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Dipsind uses HTTP for C2.CitationMicrosoft PLATINUM April 2016 |
Groups, software, and campaigns
G0068: PLATINUM
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | ffb9dd572d07… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft PLATINUM April 2016
Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
Open source URL -
[2]
Dipsind
(Citation: Microsoft PLATINUM April 2016)
-
[3]
mitre-attack S0200Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.