S0280: MirageFox
Analyst context for executives and security teams
MirageFox matters because it is a Windows remote access tool, which means its defensive significance is less about one malware name and more about whether the organization can recognize post-compromise control, discovery, command execution, decoding activity, and DLL abuse on Windows endpoints. ATT&CK does not provide official detection guidance for this object, so coverage should be validated through the behaviors linked to it rather than by relying on a signature alone.
Executive priority
Treat MirageFox as a test case for Windows endpoint resilience and incident readiness. Leaders should ask whether SOC and IR teams can prove they collect enough endpoint, process, command-line, DLL-loading, and user/session evidence to investigate a remote access tool quickly. The ATT&CK relationship to Ke3chang adds threat-intelligence context, but local prioritization should be based on exposed Windows assets, business-critical systems, and the organization’s ability to detect the related techniques.
Technical view
The supplied relationships show MirageFox using System Owner/User Discovery, Windows Command Shell, System Information Discovery, Deobfuscate/Decode Files or Information, and DLL abuse. Detection engineering should therefore validate behavior-based analytics for unusual cmd.exe execution, user and system discovery commands, decoding or deobfuscation activity, and suspicious DLL loading or side-loading patterns on Windows. Because no official detection text is provided, teams should avoid assuming tool-name coverage and instead test whether these technique-level behaviors are visible and triageable.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Parent/child process relationships involving command shell execution
- User logon, session, and account context for discovery activity
- Host inventory and system information query evidence
- File creation, modification, and execution metadata for decoded or deobfuscated content
Detection direction
- Validate analytics for Windows Command Shell execution that is unusual for the host, user, parent process, or business role.
- Tune discovery detections around user and system information collection so they distinguish administrative activity from unexpected reconnaissance on endpoints.
- Review coverage for deobfuscation or decoding activity, especially when followed by execution or file creation in unusual locations.
- Validate DLL abuse monitoring, including suspicious DLL loads, unexpected library paths, and application execution patterns consistent with side-loading or hijacking.
- Use the Ke3chang relationship as threat-intelligence context, not as proof of attribution in any local incident.
Mitigation priorities
- Prioritize endpoint visibility on Windows systems before relying on malware-name detections.
- Harden and monitor execution paths that allow command shell abuse, while preserving legitimate administrative use cases.
- Reduce DLL abuse risk through application control, trusted software paths, least privilege, and disciplined software deployment practices where feasible.
- Ensure incident response playbooks include rapid collection of process history, loaded modules, files, user context, and system discovery artifacts.
- Map validated controls and detections to the related ATT&CK techniques to support audit evidence and readiness reporting.
Analyst notes and limits
The object is a malware entry for MirageFox, described by ATT&CK as a remote access tool used against Windows systems and appearing to be an upgraded version of Mirage. ATT&CK relationships indicate use by Ke3chang and use of several techniques, but the object itself has no specified tactics and no official detection text. The strongest defensive value comes from validating telemetry and detections for the related behaviors rather than treating the software name as sufficient coverage.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not assert current activity, customer exposure, confirmed attribution in any environment, or guaranteed detection. Local environment evidence is required to determine risk, prevalence, and control effectiveness.
MirageFox
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | MirageFox can collect CPU and architecture information from the victim’s machine.CitationAPT15 Intezer June 2018 |
| Enterprise | T1574.001 | DLL Sub-technique | MirageFox is likely loaded via DLL hijacking into a legitimate McAfee binary.CitationAPT15 Intezer June 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | MirageFox has the capability to execute commands using cmd.exe.CitationAPT15 Intezer June 2018 |
| Enterprise | T1033 | System Owner/User Discovery | MirageFox can gather the username from the victim’s machine.CitationAPT15 Intezer June 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | MirageFox has a function for decrypting data containing C2 configuration information.CitationAPT15 Intezer June 2018 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 59ec9de0c22b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
APT15 Intezer June 2018
Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
Open source URL -
[2]
MirageFox
(Citation: APT15 Intezer June 2018)
-
[3]
mitre-attack S0280Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.