S0381: FlawedAmmyy

FlawedAmmyy matters because it is a Windows remote access tool derived from leaked Ammyy Admin source code and mapped to a broad set of post-compromise behaviors: command execution, discovery, collection, persistence, C2, exfiltration, and stealth. For leaders, the decision point is not whether a single malware name is blocked, but whether Windows endpoint, identity, and network controls can expose RAT-style activity that blends remote administration, web-based C2, keylogging, screenshots, clipboard access, and file movement.

Executive priority

Treat FlawedAmmyy as a validation case for operational resilience against criminal remote access tooling. ATT&CK relationships associate it with FIN6 and TA505, both cyber criminal groups, so the relevant business questions are: can the SOC identify suspicious remote-control behavior on Windows endpoints, can incident responders determine what data or credentials may have been collected, and can audit evidence show coverage for persistence, command execution, C2, and exfiltration patterns rather than only known file indicators? This is especially material where Windows systems support payment, retail, hospitality, or other sensitive operations, but local exposure must be confirmed from environment evidence.

Technical view

The object is Windows malware with no official ATT&CK detection text, so detection engineering should pivot from the software name to its mapped techniques. Validate telemetry for PowerShell, cmd.exe, WMI, msiexec.exe, rundll32.exe, Registry Run Keys/Startup Folder, suspicious file deletion, tool transfer, local data access, user/group/system/security-software discovery, screen capture, clipboard access, keylogging-related behaviors, and C2 over web protocols with obfuscation or symmetric cryptography. IR playbooks should assume a RAT-style investigation scope: identify execution chain, persistence, operator activity, collected local data, credential exposure from input capture/keylogging, and possible exfiltration over the same C2 channel.

Likely telemetry

Windows endpoint process creation and command-line logging for PowerShell, Windows Command Shell, WMI, msiexec.exe, and rundll32.exe
Windows registry and startup folder monitoring for Run Key persistence
Endpoint file creation, modification, transfer, and deletion events
Network proxy, DNS, firewall, and EDR network connection telemetry for web-protocol C2, obfuscated traffic, encrypted/symmetric C2 patterns, and exfiltration over C2
Windows security and system logs showing user, local group, system, peripheral, and security software discovery activity

Detection direction

Build behavior-based detections around the related ATT&CK techniques rather than relying only on the malware family name, because the official object provides no detection guidance.
Correlate suspicious execution utilities with follow-on discovery, persistence, collection, and outbound web traffic to reduce false positives from legitimate administration tools.
Tune carefully for PowerShell, WMI, msiexec.exe, and rundll32.exe because they are legitimate Windows components; prioritize unusual parent-child processes, uncommon command lines, remote/network-sourced payloads, and execution followed by C2 or persistence.
Validate whether network monitoring can distinguish normal web traffic from anomalous C2 patterns, including obfuscated or encrypted content and unusual destinations, without assuming decryption is available.
Include collection-focused detections for screenshots, clipboard access, local file staging, and keylogging indicators, since these behaviors drive credential and data-loss risk.

Mitigation priorities

Prioritize Windows endpoint hardening and least-privilege controls that reduce unauthorized remote execution and persistence opportunities.
Restrict and monitor administrative scripting and living-off-the-land binaries such as PowerShell, WMI, msiexec.exe, and rundll32.exe according to business need.
Harden persistence surfaces by monitoring and controlling Registry Run Keys and startup folders.
Strengthen egress controls and network visibility for web-protocol outbound traffic, especially from systems that should not initiate broad external connections.
Protect credentials by reducing interactive use of privileged accounts on exposed endpoints and investigating any evidence of input capture or keylogging as a credential-compromise event.

Analyst notes and limits

ATT&CK identifies FlawedAmmyy as a RAT first seen in early 2016 and based on leaked Ammyy Admin source code. The supplied relationships map it to many behaviors across execution, persistence, discovery, collection, command-and-control, exfiltration, and stealth. The strongest defensive value is using this object as a coverage test for RAT tradecraft on Windows endpoints and for SOC correlation across host and network telemetry.

The official ATT&CK object provides no detection text, no aliases, and no explicit malware-level tactics. The take above is limited to the supplied Windows platform, official description, external references, and relationship mappings. Local prevalence, active exploitation, specific indicators, business impact, and detection efficacy require environment-specific evidence.

Official MITRE ATT&CK definition

FlawedAmmyy

FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 22 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1059.003	Windows Command Shell Sub-technique	FlawedAmmyy has used `cmd` to execute commands on a compromised host.CitationKorean FSI TA505 2020
Enterprise	T1082	System Information Discovery	FlawedAmmyy can collect the victim's operating system and computer name during the initial infection.CitationProofpoint TA505 Mar 2018
Enterprise	T1056.001	Keylogging Sub-technique	FlawedAmmyy can collect keyboard events.CitationKorean FSI TA505 2020
Enterprise	T1033	System Owner/User Discovery	FlawedAmmyy enumerates the current user during the initial infection.CitationProofpoint TA505 Mar 2018CitationKorean FSI TA505 2020
Enterprise	T1047	Windows Management Instrumentation	FlawedAmmyy leverages WMI to enumerate anti-virus on the victim.CitationProofpoint TA505 Mar 2018
Enterprise	T1547.001	Registry Run Keys / Startup Folder Sub-technique	FlawedAmmyy has established persistence via the `HKCU\SOFTWARE\microsoft\windows\currentversion\run` registry key.CitationKorean FSI TA505 2020
Enterprise	T1059.001	PowerShell Sub-technique	FlawedAmmyy has used PowerShell to execute commands.CitationKorean FSI TA505 2020
Enterprise	T1518.001	Security Software Discovery Sub-technique	FlawedAmmyy will attempt to detect anti-virus products during the initial infection.CitationProofpoint TA505 Mar 2018
Enterprise	T1218.011	Rundll32 Sub-technique	FlawedAmmyy has used `rundll32` for execution.CitationKorean FSI TA505 2020
Enterprise	T1120	Peripheral Device Discovery	FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader.CitationProofpoint TA505 Mar 2018
Enterprise	T1071.001	Web Protocols Sub-technique	FlawedAmmyy has used HTTP for C2.CitationProofpoint TA505 Mar 2018
Enterprise	T1041	Exfiltration Over C2 Channel	FlawedAmmyy has sent data collected from a compromised host to its C2 servers.CitationKorean FSI TA505 2020
Enterprise	T1113	Screen Capture	FlawedAmmyy can capture screenshots.CitationKorean FSI TA505 2020
Enterprise	T1105	Ingress Tool Transfer	FlawedAmmyy can transfer files from C2.CitationKorean FSI TA505 2020
Enterprise	T1056	Input Capture	FlawedAmmyy can collect mouse events.CitationKorean FSI TA505 2020
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	FlawedAmmyy has used SEAL encryption during the initial C2 handshake.CitationProofpoint TA505 Mar 2018
Enterprise	T1005	Data from Local System	FlawedAmmyy has collected information and files from a compromised machine.CitationKorean FSI TA505 2020
Enterprise	T1115	Clipboard Data	FlawedAmmyy can collect clipboard data.CitationKorean FSI TA505 2020
Enterprise	T1001	Data Obfuscation	FlawedAmmyy may obfuscate portions of the initial C2 handshake.CitationProofpoint TA505 Mar 2018
Enterprise	T1218.007	Msiexec Sub-technique	FlawedAmmyy has been installed via `msiexec.exe`.CitationKorean FSI TA505 2020
Enterprise	T1070.004	File Deletion Sub-technique	FlawedAmmyy can execute batch scripts to delete files.CitationKorean FSI TA505 2020
Enterprise	T1069.001	Local Groups Sub-technique	FlawedAmmyy enumerates the privilege level of the victim during the initial infection.CitationProofpoint TA505 Mar 2018CitationKorean FSI TA505 2020

Associated objects

Groups, software, and campaigns

G0037: FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[1][2]

G0092: TA505

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.[1][2][3][4][5]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: May 28, 2019, 19:07 UTC (UTC+00:00)
Modified: Apr 16, 2025, 20:38 UTC (UTC+00:00)
Raw hash: 3db6a32c47298507...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.2	Apr 16, 2025, 20:38 UTC (UTC+00:00)	Current bundle	`3db6a32c4729…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Proofpoint TA505 Mar 2018

Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
Open source URL
[2]
mitre-attack S0381
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams