S0662: RCSession
RCSession is a backdoor written in C++ that has been in use since at least 2018 by Mustang Panda and by Threat Group-3390 (Type II Backdoor).[1][2][3]
Analyst context for executives and security teams
RCSession matters because ATT&CK describes it as a Windows C++ backdoor associated with post-compromise access, collection, discovery, persistence, privilege escalation, defense evasion, and command-and-control behaviors. For leaders, the practical issue is not the malware name alone; it is whether Windows endpoint, registry, process, and network evidence would let the organization recognize and investigate a backdoor that can blend into normal administration and web traffic.
Executive priority
Treat RCSession as a validation case for Windows intrusion readiness. The ATT&CK relationships connect it to groups that have targeted government, diplomatic, NGO, defense, technology, energy, manufacturing, aerospace, and related sectors, but local risk depends on your environment and threat model. Executives should ask whether SOC coverage can reconstruct endpoint execution, persistence, C2, credential-collection risk, and data-access activity quickly enough to support containment, legal/compliance evidence, and business continuity decisions.
Technical view
RCSession is listed for Windows, with no official ATT&CK detection text. Defensive validation should therefore be built from the related techniques: command shell and native API execution, process hollowing, DLL abuse, msiexec proxy execution, registry modification and Run Key persistence, UAC bypass, masquerading, file deletion, local data collection, user/process/system discovery, keylogging, screen capture, ingress tool transfer, web-protocol C2, non-application-layer C2, encrypted channels, compression, and fileless storage. SOC and IR teams should confirm they can correlate these behaviors on Windows hosts rather than relying on a single malware signature.
Likely telemetry
- Windows endpoint process creation, command-line, parent/child process, integrity level, and signed binary execution data
- Registry write events, especially Run Keys, startup locations, and unusual registry-backed storage patterns
- Module load and DLL search/path telemetry relevant to DLL abuse or side-loading investigations
- Memory and process tampering signals consistent with process hollowing where available
- File creation, compression/archive activity, tool transfer, and file deletion evidence
Detection direction
- Build behavior-based detections around chains: suspicious execution followed by registry persistence, discovery, file collection, and outbound network activity.
- Tune Windows detections for living-off-the-land abuse, especially msiexec.exe and cmd.exe, because legitimate administrative and software deployment activity can create false positives.
- Hunt for registry modifications and startup persistence made by unusual users, unsigned or oddly located binaries, or processes with suspicious ancestry.
- Validate visibility for process hollowing and DLL abuse; many environments log process creation but lack memory, module-load, or image-path context needed to investigate these techniques.
- Correlate outbound HTTP/S or other protocol use with endpoint events; encrypted or web-like traffic alone is usually too noisy without host context.
Mitigation priorities
- Prioritize Windows endpoint hardening and monitoring for execution, persistence, privilege elevation, and registry abuse.
- Restrict unnecessary local administrator rights and validate UAC-related controls, since the related behavior includes UAC bypass and privilege-escalation patterns.
- Use application control or execution policy where feasible to reduce abuse of unsigned, unexpected, or user-writable-path binaries and DLLs.
- Constrain and monitor administrative utilities such as cmd.exe and msiexec.exe without disrupting approved software deployment workflows.
- Apply egress filtering, proxy logging, and network monitoring to make C2 over web protocols or other channels easier to investigate.
Analyst notes and limits
ATT&CK identifies RCSession as a C++ backdoor in use since at least 2018 by Mustang Panda and Threat Group-3390, with relationships to multiple ATT&CK techniques. The object itself has no specified tactics and no official detection guidance, so this take converts the supplied relationships into defensive validation priorities rather than asserting a specific indicator set.
This assessment is limited to the supplied ATT&CK STIX fields, external references, and relationships. It does not establish current activity, customer exposure, guaranteed detection coverage, or indicators of compromise. Local telemetry, asset criticality, sector exposure, and intelligence requirements are needed to determine priority and coverage gaps.
RCSession
RCSession is a backdoor written in C++ that has been in use since at least 2018 by Mustang Panda and by Threat Group-3390 (Type II Backdoor).[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573 | Encrypted Channel | RCSession can use an encrypted beacon to check in with C2.CitationSecureworks BRONZE PRESIDENT December 2019 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | RCSession can launch itself from a hollowed svchost.exe process.CitationSecureworks BRONZE PRESIDENT December 2019CitationTrend Micro DRBControl February 2020CitationProfero APT27 December 2020 |
| Enterprise | T1057 | Process Discovery | RCSession can identify processes based on PID.CitationProfero APT27 December 2020 |
| Enterprise | T1218.007 | Msiexec Sub-technique | RCSession has the ability to execute inside the msiexec.exe process.CitationProfero APT27 December 2020 |
| Enterprise | T1113 | Screen Capture | RCSession can capture screenshots from a compromised host.CitationProfero APT27 December 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | RCSession has the ability to capture keystrokes on a compromised host.CitationTrend Micro DRBControl February 2020CitationProfero APT27 December 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | RCSession has the ability to drop additional files to an infected machine.CitationProfero APT27 December 2020 |
| Enterprise | T1106 | Native API | RCSession can use WinSock API for communication including |
| Enterprise | T1071.001 | Web Protocols Sub-technique | RCSession can use HTTP in C2 communications.CitationTrend Micro DRBControl February 2020CitationProfero APT27 December 2020 |
| Enterprise | T1033 | System Owner/User Discovery | RCSession can gather system owner information, including user and administrator privileges.CitationProfero APT27 December 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | RCSession can remove files from a targeted system.CitationProfero APT27 December 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | RCSession has the ability to modify a Registry Run key to establish persistence.CitationTrend Micro DRBControl February 2020CitationProfero APT27 December 2020 |
| Enterprise | T1027.015 | Compression Sub-technique | RCSession can compress and obfuscate its strings to evade detection on a compromised host.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1005 | Data from Local System | RCSession can collect data from a compromised host.CitationProfero APT27 December 2020CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1095 | Non-Application Layer Protocol | RCSession has the ability to use TCP and UDP in C2 communications.CitationTrend Micro DRBControl February 2020CitationProfero APT27 December 2020 |
| Enterprise | T1082 | System Information Discovery | RCSession can gather system information from a compromised host.CitationProfero APT27 December 2020 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | RCSession can store its obfuscated configuration file in the Registry under `HKLM\SOFTWARE\Plus` or `HKCU\SOFTWARE\Plus`.CitationTrend Micro DRBControl February 2020CitationProfero APT27 December 2020 |
| Enterprise | T1036 | Masquerading | RCSession has used a file named English.rtf to appear benign on victim hosts.CitationSecureworks BRONZE PRESIDENT December 2019CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1112 | Modify Registry | RCSession can write its configuration file to the Registry.CitationTrend Micro DRBControl February 2020CitationProfero APT27 December 2020 |
| Enterprise | T1574.001 | DLL Sub-technique | RCSession can be installed via DLL side-loading.CitationSecureworks BRONZE PRESIDENT December 2019CitationTrend Micro DRBControl February 2020CitationProfero APT27 December 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | RCSession can use `cmd.exe` for execution on compromised hosts.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | RCSession can bypass UAC to escalate privileges.CitationTrend Micro DRBControl February 2020 |
Groups, software, and campaigns
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 8abb8941f363… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Secureworks BRONZE PRESIDENT December 2019
Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
Open source URL -
[2]
Trend Micro Iron Tiger April 2021
Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
Open source URL -
[3]
Trend Micro DRBControl February 2020
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
Open source URL -
[4]
mitre-attack S0662Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.