S0355: Final1stspy
Final1stspy is a dropper family that has been used to deliver DOGCALL.[1]
Analyst context for executives and security teams
Final1stspy matters because MITRE describes it as a Windows dropper used to deliver DOGCALL, with relationships showing behaviors around obfuscation, discovery, web-protocol communications, and Run Key or Startup Folder persistence. For leaders, the practical issue is not the malware name alone; it is whether the organization can see and contain an early-stage dropper before it establishes persistence or hands off to follow-on tooling.
Executive priority
Prioritize validation of endpoint, registry, and web traffic visibility for Windows systems. This object is associated in ATT&CK with APT37 and with techniques that commonly affect incident scope decisions: persistence, discovery, and command-and-control over web protocols. Executives should ask whether SOC and IR teams can prove coverage for suspicious startup persistence, process/system discovery, encoded or obfuscated payload handling, and unusual outbound web communications without relying on a named malware signature.
Technical view
ATT&CK provides no official detection text for Final1stspy, so defenders should build coverage from the mapped behaviors: T1027 Obfuscated Files or Information, T1140 Deobfuscate/Decode Files or Information, T1057 Process Discovery, T1082 System Information Discovery, T1071.001 Web Protocols, and T1547.001 Registry Run Keys / Startup Folder. On Windows, validate detection logic for new or modified Run Keys and Startup Folder entries, suspicious process and system enumeration, file drops followed by decode/deobfuscation activity, and outbound HTTP/S patterns inconsistent with normal host behavior. Relationship context also notes use by APT37, but local detections should remain behavior-based unless reliable intelligence or samples are available.
Likely telemetry
- Windows process creation events with command line and parent-child process context
- Windows registry auditing or EDR telemetry for Run Keys and startup persistence locations
- File creation, modification, and execution telemetry for newly dropped or decoded payloads
- Endpoint alerts or sandbox/malware analysis results showing obfuscation or deobfuscation behavior
- Network proxy, firewall, DNS, and HTTP/S metadata for outbound web-protocol communications
Detection direction
- Confirm that detections do not depend solely on the malware family name or static signatures, since ATT&CK provides no official detection guidance or aliases here.
- Tune for combinations of behavior: newly written executable content, deobfuscation or decoding activity, discovery commands/API activity, persistence creation, and outbound web traffic from the same host or user context.
- Review false positives around legitimate software updaters, installers, administrative scripts, and endpoint management tools that create Run Key entries or perform system inventory.
- Validate visibility gaps on endpoints with limited command-line logging, weak registry auditing, encrypted web traffic without useful metadata, or missing proxy/DNS correlation.
- Use the DOGCALL delivery relationship as an investigation pivot, but avoid assuming follow-on malware is present without local evidence.
Mitigation priorities
- Harden Windows persistence surfaces by monitoring and controlling Run Keys and Startup Folder modifications.
- Use application control or allowlisting where feasible to reduce execution of unauthorized dropped files.
- Ensure endpoint protection and EDR policies collect process, registry, file, and script/decode activity needed for behavioral correlation.
- Apply least-privilege practices so user-context persistence and follow-on execution have reduced impact.
- Maintain egress monitoring and proxy/DNS logging for web-protocol command-and-control analysis.
Analyst notes and limits
The ATT&CK record is sparse: Final1stspy is described as a dropper family used to deliver DOGCALL, with a cited Unit 42 report and ATT&CK relationships supplying most defensive context. The object is Windows-platform malware in enterprise ATT&CK and is linked by relationship to APT37 use. Detection and control recommendations above are derived from the supplied ATT&CK relationships rather than official detection text.
No official ATT&CK detection text, tactics, aliases, labels, hashes, infrastructure indicators, or active exploitation claims were supplied. Local environment baselines and telemetry quality are required to determine actual exposure, detection coverage, and incident scope.
Final1stspy
Final1stspy is a dropper family that has been used to deliver DOGCALL.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Final1stspy creates a Registry Run key to establish persistence.CitationUnit 42 Nokki Oct 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Final1stspy uses Python code to deobfuscate base64-encoded strings.CitationUnit 42 Nokki Oct 2018 |
| Enterprise | T1027 | Obfuscated Files or Information | Final1stspy obfuscates strings with base64 encoding.CitationUnit 42 Nokki Oct 2018 |
| Enterprise | T1057 | Process Discovery | Final1stspy obtains a list of running processes.CitationUnit 42 Nokki Oct 2018 |
| Enterprise | T1082 | System Information Discovery | Final1stspy obtains victim Microsoft Windows version information and CPU architecture.CitationUnit 42 Nokki Oct 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Final1stspy uses HTTP for C2.CitationUnit 42 Nokki Oct 2018 |
Groups, software, and campaigns
G0067: APT37
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 24a449bdd6e7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 Nokki Oct 2018
Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
Open source URL -
[2]
Final1stspy
(Citation: Unit 42 Nokki Oct 2018)
-
[3]
mitre-attack S0355Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.