Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0627: SodaMaster

SodaMaster is a fileless malware used by menuPass to download and execute payloads since at least 2020.[1]

EnterpriseS0627MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

SodaMaster matters because it is described as Windows fileless malware used by menuPass to download and execute additional payloads. For leaders, the practical issue is not a single file hash; it is whether endpoint, identity, and network monitoring can recognize an in-memory or low-artifact intrusion that performs discovery, avoids analysis, and uses encrypted command-and-control patterns before follow-on payloads arrive.

Executive priority

Prioritize validation of Windows endpoint visibility, incident response readiness for fileless malware, and evidence collection for discovery and command-and-control behavior. Because ATT&CK provides no official detection guidance for SodaMaster, leadership should ask whether current managed detection, EDR, logging, and network controls can prove coverage for the related behaviors rather than relying on malware-name matching.

Technical view

SOC and IR teams should validate coverage around the behaviors ATT&CK relates to SodaMaster: registry querying, user/process/system discovery, ingress tool transfer, native API use, obfuscated content, sandbox/time checks, and encrypted C2 using symmetric or asymmetric cryptography. Since the object is Windows malware and fileless, detection should emphasize behavioral chains and memory/process/network evidence instead of only files on disk.

Likely telemetry

  • Windows endpoint process and command-line telemetry
  • Windows Registry access/query telemetry
  • User/session and logged-on account evidence
  • Process enumeration and system information collection events
  • EDR memory, module, and native API behavioral observations where available

Detection direction

  • Do not depend on a SodaMaster signature alone; validate detections for the related ATT&CK techniques and for chained behavior on Windows hosts.
  • Tune for suspicious discovery sequences that combine registry, user, process, and system information collection before external communications or payload transfer.
  • Review network analytics for unusual encrypted command-and-control patterns, while accounting for high false-positive rates from normal encrypted enterprise traffic.
  • Confirm whether EDR can surface fileless execution and native API-heavy behavior; disk-only antivirus evidence may be insufficient.
  • Account for anti-analysis behavior: sandbox detonations may miss behavior if system or time-based checks alter execution.

Mitigation priorities

  • Strengthen Windows endpoint prevention and EDR controls capable of behavioral and memory-aware detection.
  • Limit and monitor unnecessary outbound connectivity to reduce opportunities for ingress tool transfer and command-and-control.
  • Ensure registry, process, user, and network telemetry is retained long enough to support incident reconstruction.
  • Harden least-privilege and account monitoring so discovery of users and system context is more actionable during triage.
  • Exercise IR playbooks for fileless malware where containment decisions rely on live host evidence, memory-aware tooling, and network scoping rather than recovered binaries only.
Analyst notes and limits

ATT&CK identifies SodaMaster as fileless malware used by menuPass since at least 2020 and links it to multiple discovery, stealth, execution, ingress transfer, and encrypted command-and-control techniques. The supplied object has no official detection text and no malware tactics listed, so this take emphasizes behavior-driven validation using the provided relationships.

This assessment is limited to the supplied ATT&CK STIX fields, external references, and relationships. It does not establish current activity, customer exposure, specific indicators, exploit vectors, or guaranteed detection coverage. Local endpoint, identity, and network telemetry must be reviewed to determine actual defensive readiness.

Official MITRE ATT&CK definition

SodaMaster

SodaMaster is a fileless malware used by menuPass to download and execute payloads since at least 2020.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

11 rows
Domain ID Name Relationship / procedure
Enterprise T1105 Ingress Tool Transfer

SodaMaster has the ability to download additional payloads from C2 to the targeted system.CitationSecurelist APT10 March 2021
Enterprise T1106 Native API

SodaMaster can use RegOpenKeyW to access the Registry.CitationSecurelist APT10 March 2021
Enterprise T1497.001 System Checks Sub-technique

SodaMaster can check for the presence of the Registry key HKEY_CLASSES_ROOT\\Applications\\VMwareHostOpen.exe before proceeding to its main functionality.CitationSecurelist APT10 March 2021
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

SodaMaster can use a hardcoded RSA key to encrypt some of its C2 traffic.CitationSecurelist APT10 March 2021
Enterprise T1497.003 Time Based Checks Sub-technique

SodaMaster has the ability to put itself to "sleep" for a specified time.CitationSecurelist APT10 March 2021
Enterprise T1027 Obfuscated Files or Information

SodaMaster can use "stackstrings" for obfuscation.CitationSecurelist APT10 March 2021
Enterprise T1033 System Owner/User Discovery

SodaMaster can identify the username on a compromised host.CitationSecurelist APT10 March 2021
Enterprise T1082 System Information Discovery

SodaMaster can enumerate the host name and OS version on a target system.CitationSecurelist APT10 March 2021
Enterprise T1573.001 Symmetric Cryptography Sub-technique

SodaMaster can use RC4 to encrypt C2 communications.CitationSecurelist APT10 March 2021
Enterprise T1057 Process Discovery

SodaMaster can search a list of running processes.CitationSecurelist APT10 March 2021
Enterprise T1012 Query Registry

SodaMaster has the ability to query the Registry to detect a key specific to VMware.CitationSecurelist APT10 March 2021
Associated objects

Groups, software, and campaigns

Group Enterprise

G0045: menuPass

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]

menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]

Relationship explorer

All related ATT&CK context

uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1497.001: System Checks Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Technique T1497.003: Time Based Checks Enterprise uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Group G0045: menuPass Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1012: Query Registry Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
699bd3a47c09f099...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 699bd3a47c09…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Securelist APT10 March 2021

    GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.

    Open source URL
  2. [2]
    DARKTOWN

    (Citation: Securelist APT10 March 2021)

  3. [3]
    DelfsCake

    (Citation: Securelist APT10 March 2021)

  4. [4]
    dfls

    (Citation: Securelist APT10 March 2021)

  5. [5]
    mitre-attack S0627
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use