Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0243: DealersChoice

DealersChoice is a Flash exploitation framework used by APT28. [1]

EnterpriseS0243MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DealersChoice matters because it represents a client-side Flash exploitation framework on Windows, with ATT&CK relationships showing follow-on execution through Windows Command Shell and command-and-control over web protocols. For leaders, the practical issue is not the malware name alone; it is whether the organization still has legacy client software exposure, Windows endpoint visibility, and web traffic monitoring strong enough to support rapid triage if suspicious client exploitation is suspected.

Executive priority

Prioritize this as a resilience and readiness question around legacy software risk, endpoint execution visibility, and web egress governance. Security leaders should ask: where could Flash or similar client-side attack surface still exist, are Windows endpoints instrumented to show exploit-to-shell behavior, and can SOC/IR teams distinguish normal web traffic from suspicious command-and-control patterns? The APT28 relationship increases threat-intelligence relevance, but the supplied ATT&CK fields do not by themselves establish current targeting or local exposure.

Technical view

Defenders should validate coverage against the related behaviors: T1203 Exploitation for Client Execution, T1059.003 Windows Command Shell, and T1071.001 Web Protocols. On Windows, focus on evidence of a client application or document/browser-related process spawning cmd.exe or other command-line execution, followed by outbound web-protocol communication. Because ATT&CK provides no official detection text for this software entry, detection engineering should be behavior-led rather than name-led, using endpoint process lineage, network egress records, and vulnerability/asset context for systems that may retain Flash-related exposure.

Likely telemetry

  • Windows endpoint process creation and parent-child process lineage, especially client applications spawning cmd.exe
  • Command-line arguments and shell execution logs for Windows Command Shell activity
  • EDR telemetry for exploit-triggered process creation or unusual child processes from client applications
  • Web proxy, firewall, DNS, and network metadata for outbound HTTP/S or other web-protocol communications
  • Asset and vulnerability inventory showing whether Flash or legacy client-side software is present on Windows systems

Detection direction

  • Validate behavior-based detections for client application exploitation leading to command shell execution rather than relying on a DealersChoice signature alone.
  • Tune alerts around unusual parent processes launching cmd.exe, while accounting for legitimate administrative tools and software updaters that may generate false positives.
  • Correlate Windows shell execution with near-time outbound web traffic to external destinations to cover the T1059.003 and T1071.001 relationship context.
  • Confirm proxy and endpoint logs retain enough detail to reconstruct process-to-network activity during incident response.
  • Use threat-intelligence context for APT28 carefully: it can support prioritization and hunting hypotheses, but should not be treated as attribution without local evidence.

Mitigation priorities

  • Inventory and reduce exposure to Flash or other legacy client-side software where business processes still depend on it.
  • Maintain patch and vulnerability management for client applications that can be exploited for code execution.
  • Apply least privilege and endpoint hardening to reduce the impact of successful client-side execution.
  • Restrict and monitor web egress so command-and-control over common web protocols is harder to hide in normal traffic.
  • Ensure SOC playbooks cover the sequence of suspected client exploit, shell execution, and web-based command-and-control investigation.
Analyst notes and limits

This take is based on the official ATT&CK software object for DealersChoice, its description as a Flash exploitation framework used by APT28, and the supplied relationships to Windows Command Shell, Web Protocols, and Exploitation for Client Execution. The most useful defensive framing is a coverage review across legacy client exposure, Windows endpoint execution telemetry, and web egress monitoring.

ATT&CK provides no official detection guidance, no malware tactics on the object itself, no aliases, and no indicators in the supplied fields. The relationship context supports defensive hypotheses but does not prove current activity, exploitation, attribution, or customer exposure. Local asset inventory, vulnerability data, endpoint telemetry, and network logs are required to determine relevance.

Official MITRE ATT&CK definition

DealersChoice

DealersChoice is a Flash exploitation framework used by APT28. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

3 rows
Domain ID Name Relationship / procedure
Enterprise T1059.003 Windows Command Shell Sub-technique

DealersChoice makes modifications to open-source scripts from GitHub and executes them on the victim’s machine.CitationSofacy DealersChoice
Enterprise T1203 Exploitation for Client Execution

DealersChoice leverages vulnerable versions of Flash to perform execution.CitationSofacy DealersChoice
Enterprise T1071.001 Web Protocols Sub-technique

DealersChoice uses HTTP for communication with the C2 server.CitationSofacy DealersChoice
Associated objects

Groups, software, and campaigns

Group Enterprise

G0007: APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Relationship explorer

All related ATT&CK context

uses · Group G0007: APT28 Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1203: Exploitation for Client Execution Enterprise uses · Technique T1071.001: Web Protocols Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
c648fce3b35e7876...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle c648fce3b35e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Sofacy DealersChoice

    Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.

    Open source URL
  2. [2]
    DealersChoice

    (Citation: Sofacy DealersChoice)

  3. [3]
    mitre-attack S0243
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use