S0626: P8RAT
Analyst context for executives and security teams
P8RAT matters because ATT&CK describes it as Windows fileless malware used by menuPass to download and execute additional payloads. For leaders, the practical issue is not just one malware name; it is whether the organization can see payload delivery and execution when little or no traditional file artifact is available.
Executive priority
Prioritize this as a validation item for Windows endpoint visibility, managed detection coverage, and incident response readiness. The ATT&CK relationships point to command-and-control obfuscation with junk data, ingress tool transfer, process discovery, and sandbox-evasion checks, so leadership should ask whether current controls can support evidence-based decisions when malware behavior is memory-heavy, network traffic is intentionally noisy, and follow-on payloads may be introduced after initial execution.
Technical view
For SOC and IR teams, validate coverage around Windows hosts for suspicious process enumeration, payload download and execution, and network sessions that may include nonstandard or junk data patterns intended to complicate analysis. Because no official ATT&CK detection guidance is provided for P8RAT itself, detection engineering should pivot from the software object to the related techniques: T1001.001 Junk Data, T1057 Process Discovery, T1105 Ingress Tool Transfer, T1497.001 System Checks, and T1497.003 Time Based Checks. Treat the menuPass relationship as threat-intelligence context, not as proof of local attribution.
Likely telemetry
- Windows endpoint process creation and parent-child process context
- Endpoint memory or fileless execution indicators where available
- Network connection metadata and payload/protocol inspection where permitted
- Evidence of external file or tool transfer into Windows systems
- Command-and-control session characteristics, including unusual padding or junk data patterns
Detection direction
- Map existing detections to the related ATT&CK techniques rather than relying on a P8RAT-specific signature alone.
- Validate whether endpoint tooling can preserve useful evidence for fileless execution and downloaded payload execution.
- Tune process discovery alerts to reduce noise from legitimate administrative and monitoring tools while retaining visibility into unusual initiating processes.
- Review network detections for ingress tool transfer and C2 traffic that may be padded or obfuscated with junk data.
- Account for sandbox-evasion behavior; dynamic malware analysis may miss behavior if system or time-based checks cause the sample to disengage.
Mitigation priorities
- Strengthen Windows endpoint prevention, logging, and response capability for fileless and payload execution scenarios.
- Ensure egress monitoring and control can support investigation of suspicious external transfers and command-and-control behavior.
- Harden incident response playbooks for cases where secondary payloads may be downloaded after initial compromise.
- Review least-privilege and administrative tool governance to limit the value of process discovery and follow-on activity.
- Maintain telemetry retention sufficient to reconstruct process, network, and download activity across affected Windows systems.
Analyst notes and limits
ATT&CK provides a concise software description and relationship context but no dedicated detection text for P8RAT. The most defensible defensive interpretation is to operationalize the related techniques and validate whether Windows endpoint and network telemetry can expose payload download, execution, C2 obfuscation, discovery, and evasion behavior.
This take is limited to the supplied ATT&CK STIX fields, external references, and relationships. It does not assert current exploitation, customer exposure, specific indicators, guaranteed detection, or platforms beyond the supplied Windows platform for P8RAT. Local environment telemetry is required to assess actual risk and coverage.
P8RAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1497.003 | Time Based Checks Sub-technique | P8RAT has the ability to "sleep" for a specified time to evade detection.CitationSecurelist APT10 March 2021 |
| Enterprise | T1057 | Process Discovery | P8RAT can check for specific processes associated with virtual environments.CitationSecurelist APT10 March 2021 |
| Enterprise | T1001.001 | Junk Data Sub-technique | P8RAT can send randomly-generated data as part of its C2 communication.CitationSecurelist APT10 March 2021 |
| Enterprise | T1497.001 | System Checks Sub-technique | P8RAT can check the compromised host for processes associated with VMware or VirtualBox environments.CitationSecurelist APT10 March 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | P8RAT can download additional payloads to a target system.CitationSecurelist APT10 March 2021 |
Groups, software, and campaigns
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c4aef446cf5e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Securelist APT10 March 2021
GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
Open source URL -
[2]
GreetCake
(Citation: Securelist APT10 March 2021)
-
[3]
HEAVYPOT
(Citation: Securelist APT10 March 2021)
-
[4]
mitre-attack S0626Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.