S0547: DropBook
Analyst context for executives and security teams
DropBook is a Windows malware entry in ATT&CK described as a Python-based backdoor compiled with PyInstaller. Its ATT&CK relationships make it material because the behavior is not just “malware on an endpoint”: it combines command execution, host discovery, file discovery, tool transfer, use of legitimate web services for command-and-control, and potential exfiltration over web services. For leaders, the practical issue is whether the organization can distinguish normal cloud/web-service traffic and scripting activity from suspicious backdoor behavior on Windows systems.
Executive priority
Prioritize DropBook as a validation case for Windows endpoint visibility, egress governance, and SOC readiness around legitimate web services being used as adversary infrastructure. Because ATT&CK lists no official detection text for this malware, executives should ask whether detection coverage is based on resilient behaviors such as command shell use, Python/PyInstaller-like execution, discovery activity, inbound tool transfer, and unusual web-service communications—not just malware names or static indicators. This is also relevant to audit and incident response evidence: teams need proof that endpoint, process, file, and network telemetry can reconstruct what a suspicious Windows host executed, discovered, downloaded, and sent externally.
Technical view
SOC and IR teams should validate behavior-level coverage for the related ATT&CK techniques: Windows Command Shell execution, Python execution, system and language discovery, file and directory discovery, deobfuscation or decoding activity, ingress tool transfer, web-service-based command-and-control, and exfiltration over web services. The object is Windows-platform malware, but several related techniques span other platforms; use the Windows scope for DropBook-specific validation unless local evidence expands the investigation. Detection engineering should focus on correlated sequences: an unusual executable or Python/PyInstaller-like artifact launching command shell activity, collecting host or file-system information, decoding content, transferring additional files, and communicating with legitimate external web services in a way that is unusual for the host, user, or business process.
Likely telemetry
- Windows endpoint process creation telemetry, including parent-child process relationships and command-line arguments
- File creation, modification, and execution evidence for suspicious executables, scripts, decoded content, or transferred tools
- Endpoint telemetry showing system information, language, file, and directory discovery activity
- Network connection logs, proxy logs, DNS logs, and TLS metadata for outbound web-service communications
- Web gateway or firewall logs showing allowed traffic to common external web services
Detection direction
- Validate behavior-based detections rather than relying only on the DropBook name, because the supplied ATT&CK object provides no official detection guidance.
- Tune for suspicious chains of execution and discovery: unusual process execution followed by cmd activity, system information collection, language checks, and file or directory enumeration.
- Review outbound communications to legitimate web services for host-level anomalies, especially from systems or users that do not normally interact with those services in that manner.
- Correlate ingress tool transfer with later execution; downloaded files that are quickly executed or decoded should be treated as higher priority than isolated downloads.
- Account for false positives from administrators, developers, automation, and legitimate Python usage; prioritize unexpected execution context, rare hosts, unusual parent processes, and web-service destinations inconsistent with business use.
Mitigation priorities
- Establish or validate Windows endpoint logging and EDR coverage for process, file, command-line, and network activity before depending on detections.
- Apply least-privilege and application control principles to reduce unnecessary command shell, scripting, and unapproved executable use on Windows systems.
- Implement egress governance for external web services, including proxy visibility and business-justified allowlisting where feasible.
- Harden monitoring for tool transfer and decoded or staged content, especially when followed by execution.
- Prepare IR playbooks to collect endpoint process history, transferred files, discovery commands, and web-service communication evidence from suspected Windows hosts.
Analyst notes and limits
ATT&CK identifies DropBook as a Python-based backdoor compiled with PyInstaller and relates it to Molerats and multiple techniques covering execution, discovery, command-and-control, ingress transfer, deobfuscation, and exfiltration over web services. The most defensible Glexia interpretation is to use DropBook as a behavior-driven coverage test for Windows backdoor tradecraft involving legitimate web services, not as a standalone indicator-driven detection case.
The supplied ATT&CK object has no official detection text, no aliases, no labels, and no specified tactics on the malware object itself. The assessment cannot claim active exploitation, customer exposure, guaranteed detection, or attribution in a specific incident. Local telemetry, asset roles, user behavior baselines, and approved web-service usage are required to determine whether observed activity is suspicious.
DropBook
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.006 | Python Sub-technique | DropBook is a Python-based backdoor compiled with PyInstaller.CitationCybereason Molerats Dec 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | DropBook can execute arbitrary shell commands on the victims' machines.CitationCybereason Molerats Dec 2020CitationBleepingComputer Molerats Dec 2020 |
| Enterprise | T1083 | File and Directory Discovery | DropBook can collect the names of all files and folders in the Program Files directories.CitationCybereason Molerats Dec 2020CitationBleepingComputer Molerats Dec 2020 |
| Enterprise | T1102 | Web Service | DropBook can communicate with its operators by exploiting the Simplenote, DropBox, and the social media platform, Facebook, where it can create fake accounts to control the backdoor and receive instructions.CitationCybereason Molerats Dec 2020CitationBleepingComputer Molerats Dec 2020 |
| Enterprise | T1567 | Exfiltration Over Web Service | DropBook has used legitimate web services to exfiltrate data.CitationBleepingComputer Molerats Dec 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | DropBook can download and execute additional files.CitationCybereason Molerats Dec 2020CitationBleepingComputer Molerats Dec 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | DropBook can unarchive data downloaded from the C2 to obtain the payload and persistence modules.CitationCybereason Molerats Dec 2020 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | DropBook has checked for the presence of Arabic language in the infected machine's settings.CitationBleepingComputer Molerats Dec 2020 |
| Enterprise | T1082 | System Information Discovery | DropBook has checked for the presence of Arabic language in the infected machine's settings.CitationCybereason Molerats Dec 2020 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 40d9b84b2315… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason Molerats Dec 2020
Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
Open source URL -
[2]
BleepingComputer Molerats Dec 2020
Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
Open source URL -
[3]
DropBook
(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)
-
[4]
mitre-attack S0547Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.