S0436: TSCookie
Analyst context for executives and security teams
TSCookie is a Windows remote access tool documented by ATT&CK as used by BlackTech, with reporting tied to campaigns against Japanese targets. Its defensive significance is not just the malware name: the related behaviors span user-driven execution, command shell activity, discovery, credential access from browsers, tool transfer, process injection, and command-and-control over web, proxy, non-application-layer, and symmetrically encrypted channels. That combination makes it a useful test case for whether an organization can see post-compromise activity after initial execution, not only block a known file hash.
Executive priority
Prioritize TSCookie as a resilience and readiness question: can the organization detect and investigate a Windows RAT that blends discovery, credential theft, stealth, and encrypted or proxied C2? Leaders should ask whether SOC coverage includes endpoint and network evidence for these behaviors, whether browser-stored credentials are controlled by policy, and whether incident response can quickly determine scope when a remote access tool is found. The ATT&CK object does not provide active exploitation status or direct business impact, so prioritization should be based on local exposure, Windows endpoint criticality, regional threat relevance, and the value of affected credentials or systems.
Technical view
For SOC, detection engineering, and IR teams, validate behavior coverage around the ATT&CK relationships: T1204.001 malicious link execution, T1059.003 Windows Command Shell, T1016 network configuration discovery, T1057 process discovery, T1083 file and directory discovery, T1555.003 browser credential access, T1055 process injection, T1105 ingress tool transfer, T1071.001 web protocol C2, T1090 proxy use, T1095 non-application-layer communication, T1573.001 symmetric cryptography, and T1140 deobfuscation or decoding. Because ATT&CK provides no official detection text for TSCookie, teams should build validation from these linked techniques and from local endpoint, proxy, DNS, firewall, and EDR data rather than relying on a single malware signature.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe activity and discovery commands
- EDR events for process injection, suspicious memory operations, and anomalous parent-child process relationships
- File system telemetry for file and directory enumeration, dropped tools, downloaded files, and decoding or deobfuscation activity
- Network telemetry for HTTP/S or other web-protocol outbound sessions, proxy use, unusual destinations, and potential encrypted C2 patterns
- Firewall, IDS/IPS, and packet metadata for non-application-layer or tunneled communications where available
Detection direction
- Map detections to the linked techniques rather than only to the malware family name, since no official ATT&CK detection guidance is supplied for TSCookie.
- Correlate suspicious Windows command shell execution with nearby discovery activity, tool transfer, browser credential access, or unusual outbound network connections.
- Tune web and proxy monitoring for rare destinations, unusual user-agent or session patterns, and C2-like periodicity, while accounting for legitimate business web traffic to reduce false positives.
- Validate EDR visibility for process injection and deobfuscation behaviors, including whether sensor policy records sufficient command-line, module, memory, and file evidence.
- Hunt for chained behavior: user link interaction followed by command execution, discovery, downloaded tools, and external communications.
Mitigation priorities
- Reduce initial execution risk through user awareness, web/email controls, and investigation workflows for malicious-link events referenced by the linked technique.
- Harden Windows endpoints with least privilege, application control where feasible, and EDR policies that preserve process, command-line, file, and memory-related evidence.
- Limit browser-stored credential exposure through credential management policy, enterprise password management, and controls that reduce reliance on saved browser passwords.
- Control and monitor outbound traffic through authenticated proxies, egress filtering, and logging sufficient to investigate web, proxy, encrypted, or non-application-layer communications.
- Restrict unnecessary tool transfer paths and monitor downloads or file movement into sensitive Windows environments.
Analyst notes and limits
ATT&CK identifies TSCookie as a RAT used by BlackTech and notes historical reporting ambiguity with PLEAD, while more recent reporting indicates separation between the two. For defensive planning, treat TSCookie as a behavior bundle across Windows endpoint execution, discovery, credential access, stealth, and C2 techniques. The strongest local value comes from validating whether these behaviors are observable and triageable in the organization’s own telemetry.
The supplied ATT&CK object has no official detection section, no aliases, no listed tactics on the malware object itself, and only Windows is supplied as the malware platform. The relationship descriptions for techniques include broader platform lists, but they should not be interpreted as additional TSCookie platforms. This take does not establish active exploitation, current targeting, or guaranteed detection coverage; local environment evidence is required.
TSCookie
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | TSCookie has the ability to execute shell commands on the infected host.CitationJPCert TSCookie March 2018 |
| Enterprise | T1057 | Process Discovery | TSCookie has the ability to list processes on the infected host.CitationJPCert TSCookie March 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | TSCookie has the ability to upload and download files to and from the infected host.CitationJPCert TSCookie March 2018 |
| Enterprise | T1095 | Non-Application Layer Protocol | TSCookie can use ICMP to receive information on the destination server.CitationJPCert BlackTech Malware September 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | TSCookie can multiple protocols including HTTP and HTTPS in communication with command and control (C2) servers.CitationJPCert BlackTech Malware September 2019CitationJPCert TSCookie March 2018 |
| Enterprise | T1055 | Process Injection | TSCookie has the ability to inject code into the svchost.exe, iexplorer.exe, explorer.exe, and default browser processes.CitationJPCert BlackTech Malware September 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | TSCookie has the ability to decrypt, load, and execute a DLL and its resources.CitationJPCert TSCookie March 2018 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | TSCookie has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome browsers.CitationJPCert TSCookie March 2018 |
| Enterprise | T1083 | File and Directory Discovery | TSCookie has the ability to discover drive information on the infected host.CitationJPCert TSCookie March 2018 |
| Enterprise | T1090 | Proxy | TSCookie has the ability to proxy communications with command and control (C2) servers.CitationJPCert BlackTech Malware September 2019 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | TSCookie has encrypted network communications with RC4.CitationJPCert TSCookie March 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | TSCookie has the ability to identify the IP of the infected host.CitationJPCert TSCookie March 2018 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | TSCookie has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan.CitationJPCert TSCookie March 2018 |
Groups, software, and campaigns
G0098: BlackTech
BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d9137fbf4b04… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
JPCert TSCookie March 2018
Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
Open source URL -
[2]
JPCert BlackTech Malware September 2019
Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020.
Open source URL -
[3]
JPCert PLEAD Downloader June 2018
Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
Open source URL -
[4]
mitre-attack S0436Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.