S0628: FYAnti
Analyst context for executives and security teams
FYAnti matters because ATT&CK identifies it as a Windows loader associated with follow-on malware deployment, including QuasarRAT, and used by menuPass since at least 2020. For leaders, the key issue is not the loader name itself; it is whether the organization can notice a packed or decoded executable being introduced, performing file discovery, and pulling additional tooling before the incident becomes a larger remote-access or command-and-control event.
Executive priority
Treat FYAnti as a validation case for endpoint, network, and incident-response readiness around loaders. Priority questions: do Windows endpoints generate usable evidence for suspicious executable staging and execution, can the SOC connect packed/deobfuscated files with later tool transfer, and can IR teams quickly determine whether additional payloads such as remote access tools were deployed. This is useful for resilience planning, audit evidence of monitoring coverage, and control prioritization, but the supplied ATT&CK data does not by itself establish current exposure or active exploitation.
Technical view
ATT&CK lists FYAnti as Windows malware with relationships to Software Packing, File and Directory Discovery, Ingress Tool Transfer, and Deobfuscate/Decode Files or Information. Because no official detection text is provided, SOC teams should validate coverage against those behaviors rather than relying on a FYAnti-specific signature. Focus on Windows executable creation and launch, indicators of packed or unusual binaries, file-system enumeration activity, decoding/deobfuscation behavior, and network or host evidence of additional files being brought into the environment. Relationship context to menuPass should be used for threat-intelligence enrichment, not as proof of attribution in a local incident.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows file creation, modification, and executable staging events
- EDR or malware-prevention metadata for packed, obfuscated, or decoded binaries
- Network egress, proxy, firewall, or DNS logs showing external retrieval of files or tooling
- File and directory access/enumeration telemetry where available
Detection direction
- Build behavior-based hunting around the related techniques: packed executables, decode/deobfuscation activity, file and directory discovery, and ingress tool transfer.
- Correlate endpoint execution with nearby network downloads or file writes to identify potential loader-to-payload chains.
- Tune carefully for legitimate packed software, software installers, administrative file discovery, and normal update activity to reduce false positives.
- Validate whether telemetry survives common blind spots: unmanaged Windows hosts, incomplete command-line logging, encrypted egress with limited proxy visibility, and endpoint tools that record detections but not surrounding context.
- Use the menuPass relationship and Securelist reference as enrichment for triage, while requiring local evidence before making attribution statements.
Mitigation priorities
- Prioritize visibility first: confirm Windows endpoint, file, process, and network egress telemetry is collected and retained long enough for investigation.
- Harden execution paths for untrusted or newly introduced executables using existing application control, endpoint protection, and software governance processes where appropriate.
- Review egress and file-transfer controls so unexpected external tool retrieval is logged, constrained, and investigated.
- Prepare IR playbooks for loader findings that include scoping for secondary payloads, file discovery, and related command-and-control activity.
- Use this object as a control-test scenario for managed detection, incident response readiness, and compliance evidence around malware execution and monitoring.
Analyst notes and limits
The strongest decision value is to treat FYAnti as a loader-pattern case. The supplied relationships indicate behaviors defenders can validate even without FYAnti-specific detection guidance: packing, deobfuscation, file discovery, and tool transfer. The association with menuPass and deployment of QuasarRAT is supplied by ATT&CK and the Securelist citation, but local investigations should separate observed behavior from attribution.
ATT&CK provides no official detection text, no aliases, and no tactics directly on the FYAnti object. The object platform is Windows; related ATT&CK techniques list broader platforms, but that should not be read as FYAnti platform coverage. This summary does not assert active exploitation, customer exposure, guaranteed detectability, or attribution without local evidence.
FYAnti
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | FYAnti can download additional payloads to a compromised host.CitationSecurelist APT10 March 2021 |
| Enterprise | T1083 | File and Directory Discovery | FYAnti can search the |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | FYAnti has the ability to decrypt an embedded .NET module.CitationSecurelist APT10 March 2021 |
| Enterprise | T1027.002 | Software Packing Sub-technique | FYAnti has used ConfuserEx to pack its .NET module.CitationSecurelist APT10 March 2021 |
Groups, software, and campaigns
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f5c888534816… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Securelist APT10 March 2021
GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
Open source URL -
[2]
DILLJUICE stage2
(Citation: Securelist APT10 March 2021)
-
[3]
mitre-attack S0628Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.