Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0624: Ecipekac

Ecipekac is a multi-layer loader that has been used by menuPass since at least 2019 including use as a loader for P8RAT, SodaMaster, and FYAnti.[1]

EnterpriseS0624MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Ecipekac matters because it is described by ATT&CK as a Windows multi-layer loader used to deliver other malware, including P8RAT, SodaMaster, and FYAnti. For leaders, the risk is less about a single named file and more about whether the organization can spot and contain loader behavior before follow-on tools are introduced.

Executive priority

Prioritize this as a validation point for endpoint visibility, egress monitoring, code-signing trust controls, and incident response readiness on Windows systems. Because ATT&CK provides no dedicated detection guidance for Ecipekac, executives should ask whether the SOC can detect the related behaviors: obfuscated payloads, deobfuscation, tool transfer from external sources, suspicious code signing, and DLL abuse. This is also useful compliance evidence for demonstrating malware defense, logging, and response capability rather than relying only on signature-based detection.

Technical view

ATT&CK identifies Ecipekac as Windows malware and relates it to Obfuscated Files or Information, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, Code Signing, and DLL abuse. SOC and IR teams should validate behavior-based coverage around Windows loaders: unexpected file drops or downloads, encoded or packed content, runtime decoding activity, suspicious DLL load patterns, and signed binaries whose trust chain, publisher, path, or execution context is unusual. Relationship context also links Ecipekac to menuPass and to loading P8RAT, SodaMaster, and FYAnti, so investigations should treat suspected loader activity as a potential precursor to additional malware staging.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • File creation, modification, and quarantine events on Windows hosts
  • Module and DLL load telemetry, including unusual load paths or side-loading patterns
  • Network egress, proxy, firewall, and DNS logs showing external file retrieval or command-and-control-adjacent transfer behavior
  • Code-signing certificate metadata, publisher information, trust-chain status, and signature validation results

Detection direction

  • Do not depend on the malware name alone; ATT&CK does not provide official detection logic for this object.
  • Tune detections around the related techniques: obfuscated files, local decoding/deobfuscation, ingress transfer of tools, suspicious code signing, and DLL abuse on Windows.
  • Correlate suspicious signed binaries with unusual execution paths, new file arrival, network retrieval, and abnormal child processes to reduce false positives from legitimate signed software.
  • Review DLL side-loading and search-order abuse detections carefully because legitimate applications frequently load DLLs; prioritize unusual directories, newly written DLLs, and uncommon parent processes.
  • Use relationship-driven context during triage: suspected Ecipekac-like loader behavior should trigger searches for follow-on payload activity associated in ATT&CK with P8RAT, SodaMaster, and FYAnti, without assuming those tools are present.

Mitigation priorities

  • Ensure Windows endpoint logging and EDR collection are sufficient to reconstruct process, file, network, module-load, and code-signing activity.
  • Harden application control and execution policies so unapproved binaries and DLLs are constrained, especially from user-writable or temporary paths.
  • Validate code-signing trust decisions; signed software should still be monitored when publisher, location, age, or behavior is anomalous.
  • Restrict unnecessary outbound transfer paths and monitor external file retrieval from endpoints and servers.
  • Prepare IR playbooks for loader findings that include containment, collection of staged files, memory/module review, and hunting for second-stage malware.
Analyst notes and limits

The most defensible Glexia takeaway is behavioral: Ecipekac is a loader, so defensive value comes from proving the organization can identify staging, decoding, DLL abuse, and suspicious trust abuse before additional payloads are executed. The supplied ATT&CK relationship to menuPass is relevant for threat intelligence context, but local detection and response should remain evidence-led.

ATT&CK provides no official detection text, no explicit tactics on the malware object, and no aliases in the supplied fields. The object is limited to the Windows platform, while some related technique platform lists are broader; this take therefore centers practical validation on Windows and uses related techniques only as behavioral context. No claim is made about current activity, customer exposure, or guaranteed detection.

Official MITRE ATT&CK definition

Ecipekac

Ecipekac is a multi-layer loader that has been used by menuPass since at least 2019 including use as a loader for P8RAT, SodaMaster, and FYAnti.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1027 Obfuscated Files or Information

Ecipekac can use XOR, AES, and DES to encrypt loader shellcode.CitationSecurelist APT10 March 2021
Enterprise T1553.002 Code Signing Sub-technique

Ecipekac has used a valid, legitimate digital signature to evade detection.CitationSecurelist APT10 March 2021
Enterprise T1574.001 DLL Sub-technique

Ecipekac can abuse the legitimate application policytool.exe to load a malicious DLL.CitationSecurelist APT10 March 2021
Enterprise T1105 Ingress Tool Transfer

Ecipekac can download additional payloads to a compromised host.CitationSecurelist APT10 March 2021
Enterprise T1140 Deobfuscate/Decode Files or Information

Ecipekac has the ability to decrypt fileless loader modules.CitationSecurelist APT10 March 2021
Associated objects

Groups, software, and campaigns

Group Enterprise

G0045: menuPass

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]

menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]

Relationship explorer

All related ATT&CK context

uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Technique T1553.002: Code Signing Enterprise uses · Technique T1574.001: DLL Enterprise uses · Group G0045: menuPass Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
141ff0404c738ba0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 141ff0404c73…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Securelist APT10 March 2021

    GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.

    Open source URL
  2. [2]
    DESLoader

    (Citation: Securelist APT10 March 2021)

  3. [3]
    HEAVYHAND

    (Citation: Securelist APT10 March 2021)

  4. [4]
    SigLoader

    (Citation: Securelist APT10 March 2021)

  5. [5]
    mitre-attack S0624
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use