S0255: DDKONG
Analyst context for executives and security teams
DDKONG matters because ATT&CK links it to a targeted Rancor campaign and to behaviors that can support discovery, tool transfer, decoding of hidden content, and proxy execution through rundll32. For leaders, the decision value is not the malware name alone; it is whether the organization can prove it would see the surrounding behaviors that often determine scope, containment, and evidence quality during a targeted intrusion investigation.
Executive priority
Treat DDKONG as a prompt to validate readiness for targeted malware cases rather than as a standalone risk claim. Priority questions: can the SOC identify suspicious file and directory enumeration, unexpected inbound tool transfer, decoding or deobfuscation activity, and suspicious rundll32 execution; can IR teams reconstruct what was transferred and executed; and can compliance or audit stakeholders show that endpoint and network evidence is retained long enough to support investigation decisions?
Technical view
ATT&CK provides no official detection text and no platform list for the DDKONG malware object. The usable defensive context comes from relationships: Rancor uses DDKONG, and DDKONG is associated with File and Directory Discovery, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, and Rundll32. SOC and detection teams should validate coverage around these behaviors, especially process execution context, file creation/modification, external transfer activity, and rundll32 command-line/module loading where Windows telemetry is in scope.
Likely telemetry
- Endpoint process execution events, including command line, parent process, user, and working directory
- File system events showing enumeration, creation, modification, or dropped tools
- Network connection and transfer logs that can support ingress tool transfer investigation
- Script, utility, or process activity consistent with decoding or deobfuscation of files or content
- Windows rundll32 execution telemetry, including DLL path, export/function arguments, and parent-child process lineage where Windows hosts are monitored
Detection direction
- Do not depend on the malware name alone; ATT&CK supplies no official DDKONG detection guidance.
- Validate behavior-based detections for file and directory discovery, with tuning for legitimate administrative, backup, indexing, and monitoring activity.
- Review ingress tool transfer visibility across endpoint and network controls; confirm analysts can distinguish expected software distribution from unusual external or post-compromise transfers.
- Tune deobfuscation/decode detections for suspicious context, such as unusual parent processes, unexpected destinations, or activity near downloaded artifacts.
- For environments with Windows telemetry, scrutinize rundll32 executions with unusual DLL locations, uncommon arguments, suspicious parents, or network-adjacent activity; account for legitimate rundll32 usage to reduce false positives.
Mitigation priorities
- Prioritize telemetry completeness and retention for endpoint process, file, and network transfer evidence before relying on high-confidence alerting.
- Harden execution controls and monitoring around trusted binaries such as rundll32 where applicable, while documenting legitimate business use.
- Restrict unnecessary external file transfer paths and monitor approved transfer mechanisms for abnormal use.
- Ensure incident response playbooks include collection of transferred files, decoded artifacts, process lineage, and discovery activity timelines.
- Use threat intelligence from the cited Rancor reporting to inform hunting hypotheses, not as proof of exposure or compromise.
Analyst notes and limits
The ATT&CK object is sparse: DDKONG is described as a malware sample first seen in February 2017 and part of a Rancor campaign. The strongest defensive value comes from the related techniques rather than from object-level detection guidance. The Rancor description notes targeted campaigns against Southeast Asia using politically motivated lures, which may help intelligence teams prioritize contextual research, but local targeting and exposure must be established independently.
No official detection text, aliases, labels, malware platform list, or object-level tactics are supplied. Technique platform lists are generic to the techniques and should not be treated as confirmed DDKONG platform coverage. This summary does not claim active exploitation, current targeting, attribution in any incident, or guaranteed detectability.
DDKONG
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | DDKONG downloads and uploads files on the victim’s machine.CitationRancor Unit42 June 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | DDKONG decodes an embedded configuration using XOR.CitationRancor Unit42 June 2018 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | DDKONG uses Rundll32 to ensure only a single instance of itself is running at once.CitationRancor Unit42 June 2018 |
| Enterprise | T1083 | File and Directory Discovery | DDKONG lists files on the victim’s machine.CitationRancor Unit42 June 2018 |
Groups, software, and campaigns
G0075: Rancor
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 57b7b339234a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Rancor Unit42 June 2018
Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
Open source URL -
[2]
mitre-attack S0255Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.