S0501: PipeMon
PipeMon is a multi-stage modular backdoor used by Winnti Group.[1]
Analyst context for executives and security teams
PipeMon matters because ATT&CK describes it as a Windows, multi-stage modular backdoor associated through relationships with Winnti Group and a broad set of persistence, stealth, discovery, privilege-escalation, and command-and-control behaviors. For leaders, the decision value is not the malware name alone; it is whether Windows monitoring can prove when a backdoor persists, hides in legitimate-looking resources, loads modules, modifies registry or services, and maintains alternate encrypted communications.
Executive priority
Prioritize PipeMon as a resilience and assurance test case for Windows endpoint visibility, privileged execution controls, service/registry governance, and outbound network monitoring. Because ATT&CK provides no official detection text for this malware, executives should ask for evidence-based coverage against the related techniques rather than relying on a malware signature claim.
Technical view
SOC and IR teams should validate coverage against the ATT&CK relationships: Windows service and print processor persistence, registry modification, DLL/shared module loading, DLL injection, token-based process creation, parent PID spoofing, UAC bypass, discovery of system/network/process/security software details, tool ingress, and encrypted or fallback command-and-control. Treat this as behavior-led validation: correlate endpoint, identity, registry, service-control, module-load, file-transfer, and network telemetry rather than depending on a single PipeMon indicator.
Likely telemetry
- Windows endpoint process creation and parent/child process metadata
- DLL and shared module load events, including unusual loads by service or spooler-related processes
- Windows Registry modification events, especially persistence-related keys and print processor configuration areas
- Windows service creation or modification events
- Token use, impersonation, integrity-level changes, and privileged process creation evidence where available
Detection direction
- Validate behavior detections mapped to the related techniques instead of relying on ATT&CK-provided PipeMon detection guidance, because none is supplied.
- Tune for combinations of persistence plus stealth, such as service or print processor changes followed by unusual DLL loading, registry modification, or suspicious parent process lineage.
- Review false positives from legitimate administration, software deployment, printer management, signed software, and security tooling before escalating alerts.
- Look for discovery behavior occurring near privilege-escalation or C2-like network activity, since individual discovery commands or API calls may be benign in isolation.
- Confirm visibility into encrypted and fallback outbound channels through metadata, destinations, timing, and protocol anomalies; content inspection alone may be insufficient.
Mitigation priorities
- Start with Windows hardening for least privilege, controlled administrative rights, and UAC policy review because related behaviors include privilege escalation and token-based process creation.
- Restrict and monitor service creation, registry persistence locations, and print processor changes using change control and alerting.
- Use application control, trusted signing policy, and verification of code-signing trust where feasible, while recognizing signed code can still be abused.
- Harden endpoint detection coverage for DLL injection, shared module loading, obfuscated or encoded files, and fileless storage indicators.
- Enforce egress controls and monitor outbound protocols to reduce the reliability of fallback, non-application-layer, and encrypted C2 communications.
Analyst notes and limits
The relationship context ties PipeMon to Winnti Group and to multiple ATT&CK techniques across command-and-control, discovery, execution, persistence, privilege escalation, stealth, and defense impairment. The group description notes Chinese origins, activity since at least 2010, heavy targeting of the gaming industry, and expanded targeting scope; use that as threat-intelligence context, not as proof of local exposure.
ATT&CK lists PipeMon as Windows malware but provides no official detection text, no aliases, and no malware-level tactics. This take is therefore derived from the official description, external references, and supplied relationships. Local telemetry, asset criticality, and confirmed indicators are required to determine exposure or detection coverage.
PipeMon
PipeMon is a multi-stage modular backdoor used by Winnti Group.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1134.002 | Create Process with Token Sub-technique | PipeMon can attempt to gain administrative privileges using token impersonation.CitationESET PipeMon May 2020 |
| Enterprise | T1082 | System Information Discovery | PipeMon can collect and send OS version and computer name as a part of its C2 beacon.CitationESET PipeMon May 2020 |
| Enterprise | T1112 | Modify Registry | PipeMon has modified the Registry to store its encrypted payload.CitationESET PipeMon May 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | PipeMon modules are stored encrypted on disk.CitationESET PipeMon May 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | PipeMon can install additional modules via C2 commands.CitationESET PipeMon May 2020 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | PipeMon can inject its modules into various processes using reflective DLL loading.CitationESET PipeMon May 2020 |
| Enterprise | T1547.012 | Print Processors Sub-technique | |
| Enterprise | T1095 | Non-Application Layer Protocol | The PipeMon communication module can use a custom protocol based on TLS over TCP.CitationESET PipeMon May 2020 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | PipeMon installer can use UAC bypass techniques to install the payload.CitationESET PipeMon May 2020 |
| Enterprise | T1057 | Process Discovery | PipeMon can iterate over the running processes to find a suitable injection target.CitationESET PipeMon May 2020 |
| Enterprise | T1124 | System Time Discovery | PipeMon can send time zone information from a compromised host to C2.CitationESET PipeMon May 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | PipeMon communications are RC4 encrypted.CitationESET PipeMon May 2020 |
| Enterprise | T1134.004 | Parent PID Spoofing Sub-technique | PipeMon can use parent PID spoofing to elevate privileges.CitationESET PipeMon May 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | PipeMon can decrypt password-protected executables.CitationESET PipeMon May 2020 |
| Enterprise | T1106 | Native API | |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | PipeMon has stored its encrypted payload in the Registry under `HKLM\SOFTWARE\Microsoft\Print\Components\`.CitationESET PipeMon May 2020 |
| Enterprise | T1543.003 | Windows Service Sub-technique | PipeMon can establish persistence by registering a malicious DLL as an alternative Print Processor which is loaded when the print spooler service starts.CitationESET PipeMon May 2020 |
| Enterprise | T1553.002 | Code Signing Sub-technique | PipeMon, its installer, and tools are signed with stolen code-signing certificates.CitationESET PipeMon May 2020 |
| Enterprise | T1008 | Fallback Channels | PipeMon can switch to an alternate C2 domain when a particular date has been reached.CitationESET PipeMon May 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | PipeMon modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.CitationESET PipeMon May 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | PipeMon can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon.CitationESET PipeMon May 2020 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | PipeMon can check for the presence of ESET and Kaspersky security software.CitationESET PipeMon May 2020 |
| Enterprise | T1129 | Shared Modules |
Groups, software, and campaigns
G0044: Winnti Group
Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.[1][2][3] Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.[4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | bb2e04cf330d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET PipeMon May 2020
Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
Open source URL -
[2]
mitre-attack S0501Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.