S0315: DualToy

DualToy matters because it connects endpoint compromise with mobile-device risk: the official ATT&CK description identifies it as Windows malware that installs malicious applications onto Android and iOS devices connected over USB. For leaders, the business issue is not only malware on a workstation, but whether trusted USB workflows, mobile device controls, and SOC visibility can detect or prevent a compromised computer from becoming a bridge into employee mobile devices.

Executive priority

Prioritize validation where mobile devices are used for executive access, privileged administration, messaging, approvals, or regulated data. Ask whether the organization can prove control over USB-based sideloading, unmanaged mobile devices, and incident response handoffs between endpoint and mobile teams. Because ATT&CK provides no official detection text for DualToy, assurance should come from tested telemetry and policy evidence rather than assumptions.

Technical view

Defenders should treat DualToy as a cross-device behavior pattern: a Windows malware presence followed by interaction with Android or iOS devices over USB, malicious app installation, and related mobile discovery behavior. The relationship context links DualToy to Replication Through Removable Media (T1458) and System Network Configuration Discovery (T1422), so SOC and IR teams should validate visibility into USB device connections, mobile app installation or sideloading events, and collection or access to mobile network configuration details such as IP or MAC-related information where available.

Likely telemetry

Windows endpoint security alerts and process/file activity associated with malware execution
USB device connection history from Windows endpoints
Mobile device management or endpoint mobility logs showing app installation, sideloading, trust, or device connection events
Android and iOS device inventory and compliance state where managed
Network configuration access or discovery artifacts on mobile devices where telemetry exists

Detection direction

Build detections around the sequence of suspicious Windows endpoint activity plus new or unusual USB-connected Android or iOS device interaction, rather than relying on a single indicator.
Validate whether MDM or mobile security tooling records sideloaded or externally installed applications; this is a likely blind spot for unmanaged or personally owned devices.
Tune USB detections to account for legitimate charging, file transfer, device backup, development, and support workflows to reduce false positives.
Use the T1458 relationship to test whether controls can identify malware movement or application installation via physical connection to a PC.
Use the T1422 relationship to review whether mobile telemetry can show network configuration discovery, recognizing that ATT&CK provides no DualToy-specific detection guidance.

Mitigation priorities

Limit or control USB data connections from enterprise Windows systems where business need is low.
Enforce mobile device management policies that restrict unauthorized app installation or sideloading where supported.
Separate and monitor workflows that legitimately require mobile device USB access, such as development, support, or device provisioning.
Ensure incident response playbooks include steps to identify mobile devices physically connected to a compromised workstation.
Maintain evidence for audit and compliance showing mobile app control, device inventory, endpoint USB policy, and investigation procedures.

Analyst notes and limits

The supplied ATT&CK object is sparse: it identifies DualToy as Windows malware targeting Android and iOS devices connected over USB, with relationships to T1458 and T1422. There are no ATT&CK tactics, aliases, labels, platforms field values, or official detection text on the object. The defensive value is therefore in validating cross-domain coverage between endpoint security, USB control, MDM, and mobile IR rather than in applying a MITRE-provided analytic.

This take is based only on the supplied official STIX fields, external references, and relationships. It does not assert current activity, attribution, prevalence, impact, or guaranteed detection. Local device ownership models, USB policy, MDM coverage, mobile operating system controls, and endpoint logging determine practical exposure and visibility.

Official MITRE ATT&CK definition

DualToy

DualToy is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1422	System Network Configuration Discovery	DualToy collects the connected iOS device’s information including IMEI, IMSI, ICCID, serial number and phone number.CitationPaloAlto-DualToy
Mobile	T1458	Replication Through Removable Media	DualToy side loads malicious or risky apps to both Android and iOS devices via a USB connection.CitationPaloAlto-DualToy

Relationship explorer

All related ATT&CK context

uses · Technique T1422: System Network Configuration Discovery Mobile uses · Technique T1458: Replication Through Removable Media Mobile

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 25, 2017, 14:48 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:40 UTC (UTC+00:00)
Raw hash: 074d21bebbe1c2f8...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Apr 25, 2025, 14:40 UTC (UTC+00:00)	Current bundle	`074d21bebbe1…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
PaloAlto-DualToy

Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.
Open source URL
[2]
DualToy

(Citation: PaloAlto-DualToy)
[3]
mitre-attack S0315
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams