S0202: adbupd
Analyst context for executives and security teams
adbupd matters because it is a Windows backdoor associated in ATT&CK with PLATINUM and linked to command execution, WMI-based persistence, and encrypted command-and-control behavior. For leaders, the decision value is not the malware name alone; it is whether the organization can prove it would notice a Windows host gaining stealthy persistence, executing commands through cmd.exe, and communicating over protected or hard-to-inspect channels.
Executive priority
Prioritize this as a resilience and evidence question: can security teams show reliable visibility into Windows persistence mechanisms, command-shell execution, and suspicious outbound communications? The ATT&CK record ties adbupd to targeted activity against government-related organizations in South and Southeast Asia, so organizations with similar exposure or regional relevance should ensure threat intelligence, incident response playbooks, and audit evidence cover these behaviors rather than relying on signature-only malware detection.
Technical view
SOC and IR teams should validate coverage around the ATT&CK relationships supplied for adbupd: T1059.003 Windows Command Shell for execution, T1546.003 WMI Event Subscription for persistence or privilege escalation, and T1573.002 Asymmetric Cryptography for command-and-control concealment. Because ATT&CK provides no official detection text for this malware, defenders should focus on behavior-level controls and telemetry: abnormal cmd.exe use, creation or modification of WMI filters/consumers/bindings, and suspicious outbound sessions that may not be easily inspected due to encryption.
Likely telemetry
- Windows process creation telemetry, especially cmd.exe parent/child process context and command-line arguments
- Windows Management Instrumentation telemetry covering event filters, consumers, providers, and bindings
- Endpoint detection and response alerts or host logs showing persistence-related changes
- Network connection metadata for unusual outbound destinations, timing, volume, or encrypted sessions
- Threat intelligence and case-management records mapping alerts to PLATINUM, adbupd, Dipsind similarity, or ATT&CK techniques T1059.003, T1546.003, and T1573.002
Detection direction
- Do not depend on an adbupd-specific signature alone; ATT&CK supplies no official detection guidance for this software entry.
- Validate detections for unusual Windows Command Shell execution, with tuning for legitimate administration scripts and software management activity.
- Hunt for WMI event subscription artifacts and changes, especially new or rare filters, consumers, and bindings on Windows systems.
- Use network metadata and destination reputation to identify suspicious encrypted command-and-control patterns, while acknowledging that asymmetric cryptography may limit payload inspection.
- Correlate host persistence signals, command execution, and outbound communications to reduce false positives from normal administrative activity.
Mitigation priorities
- Establish and test Windows endpoint logging for process creation and WMI activity before relying on alerting outcomes.
- Restrict and monitor administrative use of cmd.exe and WMI where operationally feasible, using least privilege and change-control expectations.
- Maintain incident response procedures for suspected backdoor activity, including host isolation, persistence review, credential exposure assessment, and network scoping.
- Use threat intelligence to decide whether PLATINUM-related reporting is relevant to the organization’s geography, sector, partners, or mission.
- Document control coverage for command execution, persistence monitoring, and encrypted outbound traffic review as compliance and audit evidence where applicable.
Analyst notes and limits
The strongest defensive use of this ATT&CK object is behavior mapping. adbupd is described as a PLATINUM-used backdoor similar to Dipsind, with relationships to Windows Command Shell, WMI Event Subscription, and Asymmetric Cryptography. That gives defenders practical validation points even though the malware entry itself has sparse metadata and no official detection text.
This take is limited to the supplied ATT&CK fields, references, and relationships. It does not establish current activity, victim exposure, exploit method, full malware functionality, or guaranteed detection logic. Local telemetry, asset criticality, geography, sector exposure, and incident evidence are required to assess risk and coverage.
adbupd
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | adbupd can use a WMI script to achieve persistence.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | adbupd can run a copy of cmd.exe.CitationMicrosoft PLATINUM April 2016 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | adbupd contains a copy of the OpenSSL library to encrypt C2 traffic.CitationMicrosoft PLATINUM April 2016 |
Groups, software, and campaigns
G0068: PLATINUM
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 064f34a79256… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft PLATINUM April 2016
Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
Open source URL -
[2]
adbupd
(Citation: Microsoft PLATINUM April 2016)
-
[3]
mitre-attack S0202Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.