S0275: UPPERCUT
UPPERCUT is a 32-bit HTTP-based backdoor that has been used by menuPass since at least 2017.[1] Once thought to be exclusive to menuPass, UPPERCUT was also observed being used by menuPass-associated MirrorFace during Operation AkaiRyū.[2]
Analyst context for executives and security teams
UPPERCUT matters because it represents a Windows HTTP-based backdoor associated in ATT&CK with long-running espionage activity and later campaign use. For leaders, the practical issue is not the malware name alone; it is whether the organization can recognize a compromised Windows host that is using ordinary-looking web traffic for command and control, running command shell activity, collecting local data, capturing screens, transferring tools, and performing discovery before responders have clear visibility.
Executive priority
Prioritize this as a validation case for Windows endpoint monitoring, web egress visibility, and incident response readiness. Because ATT&CK provides no official detection guidance for UPPERCUT, executives should ask whether SOC teams can prove coverage for the related behaviors: suspicious HTTP-based C2, command shell execution, discovery commands, file and screen collection, tool transfer, UAC bypass indicators, DLL abuse, encoded or encrypted traffic, and delayed execution. This supports resilience, audit evidence, and budget decisions around endpoint logging, network telemetry, and managed detection quality.
Technical view
Treat UPPERCUT as a Windows backdoor behavior cluster rather than a single signature. ATT&CK relationships link it to Windows Command Shell, Web Protocols, Data from Local System, System/User/Network/File/Time Discovery, Ingress Tool Transfer, Screen Capture, Standard Encoding, Symmetric Cryptography, Bypass User Account Control, DLL abuse, and Delay Execution. Detection engineering should validate correlation across process execution, parent-child process chains, DLL load behavior, privilege elevation events, host discovery commands, file access, screenshot-related activity, and outbound HTTP sessions that do not match normal user or application patterns.
Likely telemetry
- Windows endpoint process creation and command-line logs
- Parent-child process relationships involving command shell activity
- Windows privilege elevation and UAC-related events
- DLL load, side-loading, or unusual module path telemetry
- File and directory enumeration and sensitive file access telemetry
Detection direction
- Do not rely on a malware-name alert alone; ATT&CK does not provide official detection text for this object.
- Build detections around behavior combinations: HTTP egress plus command shell execution plus discovery or collection activity on a Windows host.
- Baseline approved administrative discovery and scripting activity to reduce false positives from IT operations.
- Review whether web monitoring can distinguish normal browser/application traffic from unusual host-initiated HTTP command-and-control patterns.
- Correlate UAC bypass indicators and DLL abuse with subsequent command execution, discovery, or external communication.
Mitigation priorities
- Ensure Windows endpoint logging captures process creation, command lines, module loads, privilege elevation, and file activity needed for investigation.
- Restrict and monitor unnecessary outbound web traffic from servers and high-value workstations using egress controls and proxy logging.
- Apply least privilege and administrative control review to reduce the value of UAC bypass attempts.
- Harden DLL search-order and application execution paths where feasible, and monitor unexpected DLL loading from user-writable locations.
- Limit unauthorized tool transfer through controlled download paths, web filtering, and alerting on unusual external file retrieval.
Analyst notes and limits
The object is a malware entry for UPPERCUT, described by ATT&CK as a 32-bit HTTP-based backdoor used by menuPass since at least 2017 and also observed with MirrorFace-associated Operation AkaiRyū. The most useful defensive value comes from the mapped behaviors, especially Windows command execution, discovery, collection, tool transfer, C2 over web protocols, encoding/encryption, UAC bypass, DLL abuse, and delayed execution.
ATT&CK does not provide official detection guidance, aliases, labels, or explicit tactics on the malware object itself. Relationship descriptions are partially truncated in the supplied data, and technique platform lists may be broader than this malware object’s Windows platform. Local environment telemetry, baselines, and approved administrative activity are required before making coverage or exposure claims.
UPPERCUT
UPPERCUT is a 32-bit HTTP-based backdoor that has been used by menuPass since at least 2017.[1] Once thought to be exclusive to menuPass, UPPERCUT was also observed being used by menuPass-associated MirrorFace during Operation AkaiRyū.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | UPPERCUT has used HTTP for C2, including sending error codes in cookie headers.CitationFireEye APT10 Sept 2018CitationTrend Micro Earth Kasha Anel NOV 2024CitationESET MirrorFace 2025 |
| Enterprise | T1124 | System Time Discovery | UPPERCUT has the capability to obtain the time zone information and the current timestamp of the victim’s machine.CitationFireEye APT10 Sept 2018 |
| Enterprise | T1033 | System Owner/User Discovery | UPPERCUT has the capability to collect the current logged on user’s username from a machine.CitationFireEye APT10 Sept 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | UPPERCUT uses cmd.exe to execute commands on the victim’s machine.CitationFireEye APT10 Sept 2018 |
| Enterprise | T1574.001 | DLL Sub-technique | UPPERCUT has been sideloaded through a legitimately signed application from the JustSystems Corporation.CitationESET MirrorFace 2025 |
| Enterprise | T1113 | Screen Capture | UPPERCUT can capture desktop screenshots in the PNG format and send them to the C2 server.CitationFireEye APT10 Sept 2018CitationTrend Micro Earth Kasha Updates APR 2025CitationTrend Micro Earth Kasha Anel NOV 2024CitationESET MirrorFace 2025 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Some versions of UPPERCUT have used the hard-coded string “this is the encrypt key” for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address.CitationFireEye APT10 Sept 2018 UPPERCUT has also used custom ChaCha20, XOR, and LZO algorithms for C2 communication.CitationTrend Micro Earth Kasha Updates APR 2025CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1016 | System Network Configuration Discovery | UPPERCUT has the capability to gather the victim's proxy information.CitationFireEye APT10 Sept 2018 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | UPPERCUT can base64 encode C2 communications.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1082 | System Information Discovery | UPPERCUT has the capability to gather the system’s hostname and OS version.CitationFireEye APT10 Sept 2018CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | UPPERCUT can download and upload files to and from the victim’s machine.CitationFireEye APT10 Sept 2018CitationTrend Micro Earth Kasha Updates APR 2025CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | UPPERCUT contains functionality to bypass UAC.CitationTrend Micro Earth Kasha Updates APR 2025CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1005 | Data from Local System | UPPERCUT can upload files to the C2 from infected machines.CitationTrend Micro Earth Kasha Updates APR 2025CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1678 | Delay Execution | UPPERCUT can use a sleep function to delay execution.CitationTrend Micro Earth Kasha Updates APR 2025CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1083 | File and Directory Discovery | UPPERCUT has the capability to gather the victim's current directory.CitationFireEye APT10 Sept 2018 |
Groups, software, and campaigns
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
G1054: MirrorFace
MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]
C0060: Operation AkaiRyū
Operation AkaiRyū (Japanese for RedDragon) was a cyberespionage spearphishing campaign conducted by MirrorFace between June and September 2024 against entities in Japan and Central Europe. Operation AkaiRyū notably included the first reported targeting of a European entity by MirrorFace, as well as their use of UPPERCUT, which was thought to be exclusive to menuPass.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 0f3a9eab109a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT10 Sept 2018
Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
Open source URL -
[2]
Trend Micro Earth Kasha Anel NOV 2024
Hiroaki, H. (2024, November 26). Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024. Retrieved April 17, 2026.
Open source URL -
[3]
ANEL
(Citation: FireEye APT10 Sept 2018)
-
[4]
UPPERCUT
(Citation: FireEye APT10 Sept 2018)
-
[5]
mitre-attack S0275Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.