S0398: HyperBro
HyperBro is a custom in-memory backdoor used by Threat Group-3390.[1][2][3]
Analyst context for executives and security teams
HyperBro matters because ATT&CK describes it as a custom in-memory Windows backdoor associated with Threat Group-3390. For leaders, the key risk is not the malware name alone, but the behaviors around it: stealth through packing/encoding, process injection, DLL abuse, web-based command-and-control, tool transfer, service execution, screen capture, and cleanup. Those behaviors test whether the organization can see malicious activity that blends into normal Windows, service, memory, and web traffic.
Executive priority
Prioritize HyperBro-related coverage as a resilience and evidence question: can the SOC prove it monitors Windows execution, suspicious service activity, process injection indicators, abnormal web command-and-control, and post-compromise collection? Because no official ATT&CK detection guidance is provided for this malware object, executives should ask for behavior-based coverage mapped to the related techniques rather than relying on malware signatures or name-based blocking.
Technical view
Validate detections around the ATT&CK relationships supplied for HyperBro: System Service Discovery, Software Packing, Encrypted/Encoded File, Process Injection, File Deletion, Web Protocols for C2, Ingress Tool Transfer, Native API use, Screen Capture, Deobfuscate/Decode Files or Information, Service Execution, and DLL abuse. Since the malware is described as in-memory and Windows-based, SOC and IR teams should confirm endpoint telemetry includes process lineage, module/DLL load context, service creation or execution events, memory-oriented EDR signals, file creation/deletion, network connections over HTTP/S-like traffic, and evidence of downloaded tools or payloads.
Likely telemetry
- Windows endpoint process creation and parent-child process relationships
- Windows service control and service execution events
- DLL/module load telemetry and unusual library loading context
- EDR memory and process-injection behavioral alerts
- File creation, modification, deletion, encoding, and unpacking/deobfuscation evidence
Detection direction
- Use behavior-based analytics instead of relying only on HyperBro signatures, because the object identifies in-memory behavior and related obfuscation techniques.
- Correlate service discovery followed by service execution, DLL abuse, process injection, web-protocol communications, and file cleanup on Windows hosts.
- Tune carefully for administrative false positives: service queries, service execution, DLL loading, file deletion, and web traffic are common in normal operations.
- Review whether encrypted, encoded, or packed files are inspected beyond static signature matching.
- Hunt for suspicious web-protocol traffic from unusual processes or hosts, especially when paired with tool transfer or post-compromise collection behavior.
Mitigation priorities
- Strengthen Windows endpoint visibility first: process, service, DLL/module, file, network, and EDR memory telemetry are central to the related behaviors.
- Reduce abuse of services and DLL loading through least privilege, application control, controlled software paths, and hardened administrative workflows where feasible.
- Improve egress monitoring and proxy logging for web-protocol command-and-control visibility.
- Maintain incident response playbooks for in-memory malware cases, including volatile evidence preservation and rapid host isolation decisions.
- Use ATT&CK technique coverage reviews to produce audit-ready evidence showing what is monitored, what is blocked, and what remains a known gap.
Analyst notes and limits
The supplied ATT&CK object has no official detection text and no object-level tactics, so this take is driven by the official description, Windows platform field, external references, and relationships to techniques. HyperBro is associated in ATT&CK with Threat Group-3390, but local investigation should treat that as context rather than attribution.
This summary does not assert current exploitation, customer exposure, specific indicators, or guaranteed detection. The supplied fields do not provide hashes, infrastructure, detailed procedures, or official mitigations. Local telemetry quality, EDR configuration, network logging, and Windows administrative baselines are required to determine actual coverage.
HyperBro
HyperBro is a custom in-memory backdoor used by Threat Group-3390.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055 | Process Injection | HyperBro can run shellcode it injects into a newly created process.CitationUnit42 Emissary Panda May 2019 |
| Enterprise | T1574.001 | DLL Sub-technique | HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.CitationUnit42 Emissary Panda May 2019CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | HyperBro has used HTTPS for C2 communications.CitationUnit42 Emissary Panda May 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | HyperBro can unpack and decrypt its payload prior to execution.CitationTrend Micro DRBControl February 2020CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1569.002 | Service Execution Sub-technique | HyperBro has the ability to start and stop a specified service.CitationUnit42 Emissary Panda May 2019 |
| Enterprise | T1007 | System Service Discovery | HyperBro can list all services and their configurations.CitationUnit42 Emissary Panda May 2019 |
| Enterprise | T1113 | Screen Capture | HyperBro has the ability to take screenshots.CitationUnit42 Emissary Panda May 2019 |
| Enterprise | T1027.002 | Software Packing Sub-technique | HyperBro has the ability to pack its payload.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1106 | Native API | HyperBro has the ability to run an application ( |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | HyperBro can be delivered encrypted to a compromised host.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | HyperBro has the ability to download additional files.CitationUnit42 Emissary Panda May 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | HyperBro has the ability to delete a specified file.CitationUnit42 Emissary Panda May 2019 |
Groups, software, and campaigns
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | c705720051cf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit42 Emissary Panda May 2019
Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
Open source URL -
[2]
Securelist LuckyMouse June 2018
Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
Open source URL -
[3]
Hacker News LuckyMouse June 2018
Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.
Open source URL -
[4]
HyperBro
(Citation: Unit42 Emissary Panda May 2019)
-
[5]
mitre-attack S0398Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.