S0564: BlackMould
BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by GALLIUM against telecommunication providers.[1]
Analyst context for executives and security teams
BlackMould matters because it represents a web shell on Microsoft IIS: a compromised server can become an interactive control point for command execution, file discovery, local data collection, and tool transfer over normal-looking web traffic. For leaders, the key issue is not the malware name alone, but whether internet-facing IIS systems are monitored well enough to distinguish legitimate web activity from post-compromise operator activity.
Executive priority
Prioritize this as an exposed-server resilience and incident-readiness concern, especially for organizations operating telecommunications, financial, or government services noted in the related GALLIUM context. Leaders should ask whether IIS assets are inventoried, hardened, logged, and covered by response playbooks that can quickly validate web shell presence, command execution, data access, and follow-on tool transfer. ATT&CK does not specify an initial access method here, so prioritization should focus on exposed IIS risk, logging gaps, and containment readiness rather than a single vulnerability assumption.
Technical view
BlackMould is described as a China Chopper-based web shell for Microsoft IIS on Windows. The supplied relationships map it to Windows Command Shell, Web Protocols, File and Directory Discovery, Data from Local System, Ingress Tool Transfer, and Local Storage Discovery. SOC and IR teams should validate whether IIS telemetry can be correlated with Windows process creation, command-line activity, file-system changes in web-accessible paths, unusual local discovery activity, and inbound or outbound HTTP/S sessions associated with server-side execution.
Likely telemetry
- IIS web server access logs and error logs
- HTTP/S proxy, network, and egress telemetry for web server traffic
- Windows process creation and command-line telemetry, especially command shell activity associated with web server processes
- File creation, modification, and permission-change events on IIS web content directories
- Endpoint detection or host audit logs showing file and directory enumeration
Detection direction
- Validate that IIS requests can be tied to downstream host behavior such as command shell execution, file discovery, local data access, or tool transfer.
- Tune for suspicious web-to-command execution patterns while accounting for legitimate administrative scripts or maintenance tooling that may run on IIS servers.
- Review web-accessible directories for unexpected executable script files or recent modifications, but avoid relying only on filename or hash indicators.
- Correlate web protocol traffic with abnormal server behavior rather than treating HTTP/S as benign because it uses expected ports.
- Use the GALLIUM relationship as threat-intelligence context for prioritization, not as proof of attribution in a local incident.
Mitigation priorities
- Inventory and classify Microsoft IIS servers, with priority on internet-facing and business-critical systems.
- Harden IIS and Windows server configurations, including least-privilege service accounts and restricted write/execute permissions in web content paths.
- Maintain patching and exposure management for IIS and supporting applications, while recognizing this ATT&CK object does not specify the initial access vector.
- Enable and retain IIS, endpoint, process, command-line, file-integrity, and network telemetry needed for web shell investigations.
- Prepare IR procedures for isolating affected web servers, preserving web logs and host evidence, and checking for local discovery, data access, and transferred tools.
Analyst notes and limits
The most useful defensive framing is correlation: a web shell becomes material when web requests lead to command execution, local enumeration, data access, or tool movement. Detection engineering should therefore test end-to-end visibility from IIS request to host process and file activity.
MITRE provides no official detection text, no tactics directly on the malware object, and no aliases. The object states Windows and Microsoft IIS, while several related techniques include broader platform lists; local scoping should center on IIS/Windows unless other environment evidence exists. The GALLIUM relationship is historical context and should not be treated as attribution without incident-specific evidence.
BlackMould
BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by GALLIUM against telecommunication providers.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1680 | Local Storage Discovery | BlackMould can enumerate local drives on a compromised host.CitationMicrosoft GALLIUM December 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | BlackMould can run cmd.exe with parameters.CitationMicrosoft GALLIUM December 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BlackMould can send commands to C2 in the body of HTTP POST requests.CitationMicrosoft GALLIUM December 2019 |
| Enterprise | T1005 | Data from Local System | BlackMould can copy files on a compromised host.CitationMicrosoft GALLIUM December 2019 |
| Enterprise | T1083 | File and Directory Discovery | BlackMould has the ability to find files on the targeted system.CitationMicrosoft GALLIUM December 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | BlackMould has the ability to download files to the victim's machine.CitationMicrosoft GALLIUM December 2019 |
Groups, software, and campaigns
G0093: GALLIUM
GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f2b6001ab5f5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft GALLIUM December 2019
MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
Open source URL -
[2]
mitre-attack S0564Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.