S0232: HOMEFRY
Analyst context for executives and security teams
HOMEFRY matters because it is a Windows 64-bit password dumper/cracker: if present, the incident is no longer just about malware execution, but about potential credential exposure and follow-on access. ATT&CK links it to OS Credential Dumping, Windows Command Shell execution, and encrypted/encoded files, which makes identity containment, endpoint visibility, and incident scoping the practical decision points.
Executive priority
Treat this as a credential-risk and resilience issue, not only an endpoint malware issue. Leaders should ask whether Windows systems holding privileged or reusable credentials are monitored, whether incident response can rapidly reset or contain affected accounts, and whether audit evidence exists for credential protection, endpoint logging, and investigation coverage. The ATT&CK relationship to Leviathan adds threat-intelligence context, but local evidence is required before making attribution or exposure claims.
Technical view
HOMEFRY is documented by ATT&CK as malware for Windows and as using T1003 OS Credential Dumping, T1027.013 Encrypted/Encoded File, and T1059.003 Windows Command Shell. SOC and IR teams should validate visibility into suspicious credential access behavior on Windows, command-shell-driven execution, and file artifacts that may be encoded or encrypted to reduce static detection. Because ATT&CK provides no object-specific detection text, detections should be built from the related techniques and tested against local administrative tooling patterns to avoid over-alerting.
Likely telemetry
- Windows endpoint process creation and command-line logging
- Windows security events related to logon activity, privilege use, and account access
- EDR telemetry for credential access indicators and suspicious access to credential material
- File creation, modification, and execution metadata for unusual binaries or encoded/encrypted artifacts
- PowerShell/cmd.exe parent-child process relationships where command shell activity launches or supports suspicious tools
Detection direction
- Map coverage to T1003, T1059.003, and T1027.013 rather than relying on a HOMEFRY-specific signature alone.
- Hunt for credential-dumping behavior on Windows systems, especially where command shell activity precedes or accompanies suspicious binaries.
- Review encoded or encrypted file artifacts that appear in malware staging or execution paths, while accounting for legitimate encrypted archives and administrative packaging tools.
- Tune detections against known IT administration, backup, security testing, and troubleshooting activity to reduce false positives.
- Correlate endpoint findings with identity telemetry to determine whether credential material may have enabled additional access.
Mitigation priorities
- Prioritize credential hygiene: reduce credential reuse, limit standing privilege, and ensure rapid password/key rotation procedures are available during incidents.
- Harden and monitor Windows endpoints where privileged credentials may be present.
- Restrict unnecessary command shell use where feasible and ensure administrative shell activity is logged and reviewable.
- Maintain endpoint protection and EDR coverage capable of observing process, file, and credential-access behavior.
- Prepare IR playbooks that combine host containment with identity containment, including account review and reset decisions.
Analyst notes and limits
The most decision-relevant point is the relationship between HOMEFRY and credential dumping. A suspected HOMEFRY finding should trigger questions about which accounts were exposed, whether privileges can be contained quickly, and whether the organization can reconstruct command execution and file activity on affected Windows hosts.
ATT&CK does not provide HOMEFRY-specific detection guidance, tactics are not specified on the malware object, and aliases are not listed. The available record supports Windows platform scope, password dumper/cracker functionality, and relationships to three techniques plus Leviathan usage; it does not support claims of current activity, customer exposure, guaranteed detection, or attribution in a specific incident without local evidence.
HOMEFRY
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003 | OS Credential Dumping | HOMEFRY can perform credential dumping.CitationFireEye Periscope March 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Some strings in HOMEFRY are obfuscated with XOR x56.CitationFireEye Periscope March 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | HOMEFRY uses a command-line interface.CitationFireEye Periscope March 2018 |
Groups, software, and campaigns
G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 3754172da3e7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye Periscope March 2018
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
Open source URL -
[2]
HOMEFRY
(Citation: FireEye Periscope March 2018)
-
[3]
mitre-attack S0232Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.