S0354: Denis
Analyst context for executives and security teams
Denis is a Windows backdoor/Trojan documented by ATT&CK as used by APT32 and associated with SOUNDBITE and Goopy. Its importance is not just the malware name: the related behaviors cover host discovery, command execution, obfuscation, process hollowing, DNS-based command and control, tool transfer, file deletion, DLL abuse, and archiving. For leaders, this makes Denis a useful test case for whether Windows endpoint, DNS, and incident response visibility can reconstruct a stealthy post-compromise intrusion rather than only detect a known file hash.
Executive priority
Prioritize this as a Windows intrusion-readiness and evidence-quality issue. Ask whether the organization can prove coverage for PowerShell/cmd execution, registry and system discovery, suspicious DLL loading, process injection, DNS C2 patterns, tool ingress, and cleanup activity. Because the official ATT&CK object has no detection guidance, leadership should not assume product coverage; require SOC validation, IR evidence retention, and control testing mapped to the related techniques.
Technical view
ATT&CK lists Denis as Windows malware and links it to techniques spanning discovery, execution, stealth/evasion, command-and-control, and collection. SOC and IR teams should validate telemetry for Query Registry, System/User/File/Network Discovery, PowerShell and Windows Command Shell, Native API use, Process Hollowing, Obfuscated/Encoded/Decoded content, File Deletion, DNS C2, Ingress Tool Transfer, Archive via Library, and Hijack Execution Flow/DLL abuse. The object itself has no specified tactics and no official detection text, so detections should be behavior-led and tested against local Windows baselines rather than signature-only.
Likely telemetry
- Windows process creation events with command-line arguments
- PowerShell script block, module, and operational logs where enabled
- Registry query/access telemetry from EDR or Windows auditing
- File creation, modification, deletion, and archive creation events
- DLL load/module load telemetry and application execution context
Detection direction
- Build detections around behavior chains: discovery followed by command execution, obfuscated commands, tool transfer, DNS communication, and cleanup is higher value than any single weak signal.
- Tune PowerShell and cmd detections for suspicious encoded or obfuscated usage, but account for legitimate administration to reduce false positives.
- Validate visibility into process hollowing and Native API-driven execution; basic process logs may miss memory-level behavior.
- Review DNS analytics for unusual domains, query volume, encoding-like patterns, or rare destinations, while recognizing DNS is noisy and widely used for legitimate administration.
- Correlate DLL abuse and execution-flow hijacking with unusual paths, unsigned or unexpected libraries, and parent-child process context.
Mitigation priorities
- Start with evidence readiness: ensure Windows endpoint, PowerShell, DNS, file, registry, and process telemetry are collected and retained for IR reconstruction.
- Harden and monitor script and shell execution, including PowerShell logging and restrictions appropriate to business operations.
- Apply application control and DLL search-order hardening where feasible to reduce execution-flow hijacking and DLL abuse opportunities.
- Use EDR capabilities that can observe process injection/hollowing and suspicious Native API behavior, not only file-based malware detection.
- Restrict and monitor unnecessary outbound DNS and file-transfer paths; centralize DNS logging for investigation.
Analyst notes and limits
The supplied ATT&CK data identifies Denis as a Windows backdoor/Trojan used by APT32, with similarities to SOUNDBITE and use alongside Goopy. The strongest defensive value comes from the related technique set, which describes what telemetry and controls should be validated. Attribution should remain conservative: the APT32 relationship is useful for intelligence enrichment but does not establish attribution for any local alert.
Official detection guidance is not provided for this object, and the object itself has no specified tactics. Several relationship descriptions are general ATT&CK technique descriptions, not Denis-specific procedural detail. Local baselines, logging configuration, EDR capability, DNS architecture, and administrative practices are required to determine actual detection coverage and priority.
Denis
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.004 | DNS Sub-technique | Denis has used DNS tunneling for C2 communications.CitationCybereason Oceanlotus May 2017CitationSecurelist Denis April 2017CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Denis has a command to delete files from the victim’s machine.CitationCybereason Oceanlotus May 2017CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1497.001 | System Checks Sub-technique | Denis ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | Denis deploys additional backdoors and hacking tools to the system.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Denis performed process hollowing through the API calls CreateRemoteThread, ResumeThread, and Wow64SetThreadContext.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1082 | System Information Discovery | Denis collects OS information and the computer name from the victim’s machine.CitationSecurelist Denis April 2017CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1012 | Query Registry | Denis queries the Registry for keys and values.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Denis will decrypt important strings used for C&C communication.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Denis has encoded its PowerShell commands in Base64.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1016 | System Network Configuration Discovery | Denis uses |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Denis encodes the data sent to the server in Base64.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1560.002 | Archive via Library Sub-technique | Denis compressed collected data using zlib.CitationSecurelist Denis April 2017 |
| Enterprise | T1574 | Hijack Execution Flow | Denis replaces the nonexistent Windows DLL "msfte.dll" with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1083 | File and Directory Discovery | Denis has several commands to search directories for files.CitationCybereason Oceanlotus May 2017CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1106 | Native API | |
| Enterprise | T1059.001 | PowerShell Sub-technique | Denis has a version written in PowerShell.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1033 | System Owner/User Discovery | Denis enumerates and collects the username from the victim’s machine.CitationSecurelist Denis April 2017CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1574.001 | DLL Sub-technique | Denis exploits a security vulnerability to load a fake DLL and execute its code.CitationCybereason Oceanlotus May 2017 |
| Enterprise | T1027 | Obfuscated Files or Information | Denis obfuscates its code and encrypts the API names.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Denis can launch a remote shell to execute arbitrary commands on the victim’s machine.CitationCybereason Oceanlotus May 2017CitationCybereason Cobalt Kitty 2017 |
Groups, software, and campaigns
G0050: APT32
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 788c8f7af7db… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason Oceanlotus May 2017
Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
Open source URL -
[2]
Denis
(Citation: Cybereason Oceanlotus May 2017)
-
[3]
mitre-attack S0354Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.