Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0300: DressCode

DressCode is an Android malware family. [1]

MobileS0300MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DressCode matters because ATT&CK identifies it as an Android malware family with a relationship to exploitation of remote services from a mobile device’s position on or near an enterprise network. For leaders, the decision point is not just “mobile malware exists,” but whether mobile devices with VPN or local network access could become a path toward internal systems without adequate visibility, segmentation, and incident response playbooks.

Executive priority

Prioritize this as a mobile-to-enterprise access risk. Security leaders should ask whether Android device governance, VPN access controls, internal remote-service exposure, and mobile incident response evidence are strong enough to prove containment during an incident or audit. The supplied ATT&CK object does not provide active exploitation claims or detection guidance, so local exposure and telemetry maturity should drive priority.

Technical view

SOC and IR teams should validate coverage around Android devices that can reach enterprise resources, especially through VPN or local connectivity. The key relationship is DressCode using T1428, Exploitation of Remote Services, where a mobile device’s network position may be used to reach enterprise servers, workstations, or other internal resources. Because the malware object has no ATT&CK tactics, platforms field, aliases, or official detection text, detection engineering should start from relationship-driven behaviors rather than malware-name matching alone.

Likely telemetry

  • Mobile device inventory and Android app installation or application reputation records
  • MDM/UEM compliance, enrollment, and device posture events where available
  • VPN authentication, session, device identity, and internal destination logs
  • Internal remote service access logs for servers, workstations, or other enterprise resources reachable from mobile networks
  • Network telemetry for mobile-to-internal connections, including DNS, proxy, firewall, and segmentation control logs

Detection direction

  • Validate whether Android devices with enterprise access are visible in SOC telemetry; unmanaged or bring-your-own devices may be a major blind spot.
  • Do not rely only on the DressCode name or static indicators; the supplied ATT&CK object provides no official detection logic and no aliases.
  • Correlate mobile device posture, VPN sessions, and internal remote-service access to identify unusual mobile-originated access to enterprise resources.
  • Tune detections with awareness that legitimate mobile VPN use and administrative remote access can create false positives; baselines should account for approved users, devices, destinations, and time patterns.
  • Use the T1428 relationship to test whether alerts fire when a mobile network position is used to reach remote services that should not normally be accessible.

Mitigation priorities

  • First, confirm which Android devices are permitted to access enterprise networks and whether they are enrolled, compliant, and revocable.
  • Limit mobile VPN and local network access to necessary services; reduce internal remote-service exposure reachable from mobile-connected devices.
  • Require strong identity, device posture, and access controls for mobile-to-enterprise connectivity.
  • Maintain mobile incident response procedures for isolating devices, revoking sessions, and preserving relevant logs.
  • Use vulnerability management and configuration review to prioritize remote services exposed to mobile-accessible network paths.
Analyst notes and limits

The supplied ATT&CK data is sparse: DressCode is described only as an Android malware family, with one external Trend Micro reference and a relationship to T1428. The most useful defensive framing is therefore enterprise mobile access governance and visibility into remote-service access from mobile-connected devices.

No official ATT&CK detection text, tactics, malware platforms field, aliases, labels, or detailed procedure examples were provided. This take should be validated against the organization’s actual Android estate, VPN architecture, MDM/UEM coverage, and internal remote-service exposure before assigning risk or coverage status.

Official MITRE ATT&CK definition

DressCode

DressCode is an Android malware family. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1428 Exploitation of Remote Services

DressCode sets up a "general purpose tunnel" that can be used by an adversary to compromise enterprise networks that the mobile device is connected to.CitationTrendMicro-DressCode
Relationship explorer

All related ATT&CK context

uses · Technique T1428: Exploitation of Remote Services Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
978f316b5600c578...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 978f316b5600…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    TrendMicro-DressCode

    Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.

    Open source URL
  2. [2]
    DressCode

    (Citation: TrendMicro-DressCode)

  3. [3]
    mitre-attack S0300
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use