S0585: Kerrdown
Analyst context for executives and security teams
Kerrdown matters because it is a Windows custom downloader associated in ATT&CK with APT32 use and designed to install spyware from a server on the victim’s network. For leaders, the key issue is not just the malware name; it is whether phishing, user execution, internal staging, obfuscated payloads, and DLL/VB-based execution would be visible quickly enough to contain an intrusion before follow-on spyware is installed.
Executive priority
Prioritize validation of phishing resilience, Windows endpoint visibility, and internal network staging controls. This object connects initial-access behaviors such as spearphishing links and attachments with execution, obfuscation, tool transfer, and discovery behaviors, making it relevant to incident readiness, audit evidence for email/endpoint controls, and business continuity where targeted Windows users or sensitive internal servers could become part of the intrusion chain.
Technical view
ATT&CK does not provide a Kerrdown-specific detection section, so SOC and IR teams should validate coverage around the related behaviors: spearphishing attachments and links, user execution of malicious files or links, Visual Basic execution, DLL abuse, encoded or compressed payloads, deobfuscation/decoding activity, system information discovery, and ingress tool transfer. Because the official description says Kerrdown installs spyware from a server on the victim network, defenders should also examine whether internal web/file servers, shared infrastructure, or compromised hosts could be used as staging points and whether endpoint-to-internal-server download patterns are logged and investigated.
Likely telemetry
- Email security logs for targeted attachments, URLs, delivery metadata, and user click/open events
- Windows endpoint process creation, parent-child process relationships, command-line metadata, and script or Visual Basic execution evidence
- File creation and modification events for downloaded, compressed, encoded, decoded, or newly dropped payloads
- DLL load events and application execution context relevant to DLL abuse or side-loading patterns
- Web proxy, DNS, firewall, and internal network flow logs showing downloads from external or internal servers
Detection direction
- Correlate email delivery or link-click events with subsequent Windows process execution, file writes, DLL loads, and network downloads rather than treating each event in isolation.
- Tune for suspicious Visual Basic execution and user-launched files, while accounting for legitimate business scripts, installers, and administrative automation.
- Look for encoded, encrypted, compressed, or decoded artifacts that lead to execution or tool transfer; compression and encoding are common, so prioritize sequences tied to unusual users, paths, or network destinations.
- Validate monitoring for ingress tool transfer from both external systems and internal victim-network servers, since the official description highlights installation from a server on the victim network.
- Review DLL abuse detections for application context, unsigned or unusual DLL locations, and abnormal load paths, while managing false positives from legitimate software updates.
Mitigation priorities
- Strengthen email attachment and URL controls, including detonation or inspection where available, because related initial-access techniques include spearphishing attachments and links.
- Reduce user-execution risk through security awareness, attachment handling controls, and restrictions on risky file types where business processes allow.
- Harden Windows endpoints with application control, script controls, and monitoring for Visual Basic and DLL abuse patterns.
- Ensure endpoint and network logging can reconstruct payload download, decoding/decompression, and execution chains.
- Limit the ability of compromised internal servers or hosts to stage payloads through segmentation, least privilege, server hardening, and review of unusual hosted files.
Analyst notes and limits
Kerrdown is documented by MITRE as a custom downloader used by APT32 since at least 2018 to install spyware from a server on the victim’s network. The most useful defensive framing is chain-based: phishing or user execution leading to obfuscated/compressed content, deobfuscation, DLL or VB-related execution, system discovery, and tool transfer. Local evidence is required before making attribution or impact judgments.
MITRE provides no official detection text for this object, no aliases, and no object-level tactics. The available assessment is based on the official description, external references, Windows platform field, and listed ATT&CK relationships. No active exploitation, customer exposure, guaranteed detection coverage, or specific indicators are established by the supplied fields.
Kerrdown
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Kerrdown has been distributed via e-mails containing a malicious link.CitationAmnesty Intl. Ocean Lotus February 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Kerrdown can use a VBS base64 decoder function published by Motobit.CitationUnit 42 KerrDown February 2019 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Kerrdown has been distributed through malicious e-mail attachments.CitationAmnesty Intl. Ocean Lotus February 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Kerrdown can encrypt, encode, and compress multiple layers of shellcode.CitationUnit 42 KerrDown February 2019 |
| Enterprise | T1082 | System Information Discovery | Kerrdown has the ability to determine if the compromised host is running a 32 or 64 bit OS architecture.CitationUnit 42 KerrDown February 2019 |
| Enterprise | T1574.001 | DLL Sub-technique | Kerrdown can use DLL side-loading to load malicious DLLs.CitationUnit 42 KerrDown February 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | Kerrdown can download specific payloads to a compromised host based on OS architecture.CitationUnit 42 KerrDown February 2019 |
| Enterprise | T1027.015 | Compression Sub-technique | Kerrdown can encrypt, encode, and compress multiple layers of shellcode.CitationUnit 42 KerrDown February 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Kerrdown can decode, decrypt, and decompress multiple layers of shellcode.CitationUnit 42 KerrDown February 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Kerrdown has gained execution through victims opening malicious files.CitationAmnesty Intl. Ocean Lotus February 2021CitationUnit 42 KerrDown February 2019 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Kerrdown has gained execution through victims opening malicious links.CitationAmnesty Intl. Ocean Lotus February 2021 |
Groups, software, and campaigns
G0050: APT32
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 1436b8e38a6c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Amnesty Intl. Ocean Lotus February 2021
Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
Open source URL -
[2]
Unit 42 KerrDown February 2019
Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
Open source URL -
[3]
mitre-attack S0585Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.