S0248: yty
Analyst context for executives and security teams
yty is a Windows malware framework described by ATT&CK as modular and plugin-based. Its business significance is less about one fixed behavior and more about flexibility: a plugin framework can support discovery, collection, credential capture, persistence, command-and-control, and evasion behaviors depending on what components are deployed. For leaders, that means readiness should be measured across the intrusion lifecycle, not only by whether a single malware signature is blocked.
Executive priority
Prioritize validation of endpoint visibility, Windows persistence monitoring, and incident response playbooks for modular malware. The ATT&CK relationships show behaviors that can expose sensitive local data, user activity, credentials entered through the keyboard, screenshots, host and network context, and external bidirectional communications. Executives should ask whether SOC evidence is sufficient to reconstruct what was discovered, what was collected, how persistence was established, and whether C2 traffic used legitimate web services that may be harder to distinguish from normal business traffic.
Technical view
ATT&CK provides no official detection text for yty, so defenders should build coverage from the related techniques. On Windows, validate monitoring for Scheduled Task creation or modification, process and command execution associated with discovery, file and directory enumeration, local data access, keylogging indicators, screen capture activity, packed or obfuscated binaries, sandbox or system-check behavior, and outbound bidirectional web-service communications. Because the malware is described as modular and plugin-based, detection engineering should correlate multiple weak signals across execution, persistence, discovery, collection, credential-access, command-and-control, and defense-evasion behaviors rather than relying only on static file signatures.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows Task Scheduler events and task registration artifacts
- File system access and directory enumeration evidence
- Local data access patterns involving user files, configuration files, databases, or other sensitive local sources
- User, process, system, network configuration, remote system, and local storage discovery telemetry
Detection direction
- Start with behavioral detections mapped to the related techniques instead of a single yty indicator set, because ATT&CK does not provide official detection guidance.
- Correlate Scheduled Task activity with nearby file writes, process launches, discovery commands, or suspicious child processes on Windows endpoints.
- Tune discovery detections for abnormal combinations of user, process, file, directory, system, network, remote host, and storage enumeration, while accounting for legitimate administration and inventory tooling.
- Review web egress for unusual bidirectional use of legitimate external web services, especially from endpoints that also show discovery or collection behavior.
- Treat packing, junk code, and system-check behavior as triage accelerators rather than standalone proof of compromise, since benign and commercial software may also be packed or environment-aware.
Mitigation priorities
- Maintain strong endpoint prevention and monitoring on Windows systems, with emphasis on execution control, suspicious task scheduling, and malware behavior analytics.
- Harden and audit Windows Task Scheduler usage so unauthorized persistence is easier to prevent or investigate.
- Limit unnecessary local access to sensitive files and reduce credential exposure on endpoints where practical.
- Apply least privilege so malware running in a user context has reduced ability to collect broader system, user, and network information.
- Control and monitor outbound web access, including legitimate web services that could be abused for bidirectional command-and-control.
Analyst notes and limits
The supplied ATT&CK object identifies yty as a modular, plugin-based malware framework and links it to multiple techniques, including local data collection, discovery, scheduled task persistence/execution, keylogging, screen capture, obfuscation, system checks, and bidirectional web-service C2. This supports a defense strategy centered on behavior correlation and forensic reconstruction. The object itself lists Windows as the platform; related techniques may include additional platforms, but platform-specific coverage claims for yty should remain Windows-focused unless local intelligence supports more.
ATT&CK does not provide official detection guidance, aliases, labels, or explicit tactics for the malware object. The source material provided is limited to the ATT&CK fields, one external report reference, and technique relationships. This summary does not establish current activity, attribution, prevalence, customer exposure, or guaranteed detection coverage. Local telemetry, malware samples, and environment-specific baselines are required to operationalize detections safely.
yty
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1680 | Local Storage Discovery | yty gathers the the serial number of the main disk volume.CitationASERT Donot March 2018 |
| Enterprise | T1083 | File and Directory Discovery | yty gathers information on victim’s drives and has a plugin for document listing.CitationASERT Donot March 2018 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | yty establishes persistence by creating a scheduled task with the command |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | yty communicates to the C2 server by retrieving a Google Doc.CitationASERT Donot March 2018 |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | yty contains junk code in its binary, likely to confuse malware analysts.CitationASERT Donot March 2018 |
| Enterprise | T1018 | Remote System Discovery | yty uses the |
| Enterprise | T1005 | Data from Local System | yty collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.CitationASERT Donot March 2018 |
| Enterprise | T1497.001 | System Checks Sub-technique | yty has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware. CitationASERT Donot March 2018 |
| Enterprise | T1057 | Process Discovery | yty gets an output of running processes using the |
| Enterprise | T1033 | System Owner/User Discovery | yty collects the victim’s username.CitationASERT Donot March 2018 |
| Enterprise | T1082 | System Information Discovery | yty gathers the computer name, CPU information, Microsoft Windows version, and runs the command |
| Enterprise | T1056.001 | Keylogging Sub-technique | yty uses a keylogger plugin to gather keystrokes.CitationASERT Donot March 2018 |
| Enterprise | T1113 | Screen Capture | yty collects screenshots of the victim machine.CitationASERT Donot March 2018 |
| Enterprise | T1027.002 | Software Packing Sub-technique | yty packs a plugin with UPX.CitationASERT Donot March 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | yty runs |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | f59d8d98d4d0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ASERT Donot March 2018
Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
Open source URL -
[2]
mitre-attack S0248Open source URL
-
[3]
yty
(Citation: ASERT Donot March 2018)
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.