S0663: SysUpdate
SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.[1]
Analyst context for executives and security teams
SysUpdate is a Windows and Linux backdoor associated in ATT&CK with Threat Group-3390 and documented since at least 2020. Its ATT&CK relationships matter because they show a broad post-compromise pattern: discovery of users, services, processes, files, system and network settings; persistence through Linux systemd services and Windows registry modification; stealth through packing, encoding, fileless storage, masqueraded services, and file deletion; and C2/exfiltration activity including DNS and encoded C2 traffic. For leaders, the practical question is not simply whether a named malware family is detected, but whether endpoint, DNS, service, registry, and file activity are observable across both Windows and Linux estates.
Executive priority
Prioritize SysUpdate as a validation case for cross-platform incident readiness. The ATT&CK data links it to backdoor behavior and to a group known to target sectors including aerospace, government, defense, technology, energy, manufacturing, and gambling/betting. Security leaders should use this object to ask whether SOC coverage can connect discovery, persistence, stealth, tool transfer, C2, and exfiltration signals into one investigation, and whether Linux service monitoring receives the same governance and audit attention as Windows registry and WMI monitoring.
Technical view
ATT&CK provides no dedicated detection text for SysUpdate, so defenders should validate coverage from its mapped techniques. On Windows, review telemetry for WMI execution, registry modification, masqueraded services/tasks, process and service discovery, screen capture, file deletion, encoded or packed artifacts, and DNS/encoded C2 patterns. On Linux, validate systemd service creation or modification, process/service/user/system/network discovery, suspicious use of shared or volatile storage consistent with fileless storage, file deletion, tool transfer, and DNS-based C2. Because many mapped behaviors overlap with legitimate administration, detection should correlate sequences: new or modified persistence followed by discovery, encoded communication, file staging, local data access, and possible exfiltration over the same C2 channel.
Likely telemetry
- Endpoint process creation and command-line telemetry on Windows and Linux
- Windows WMI activity and related process lineage
- Windows Registry modification events
- Windows service/task and Linux systemd service creation or modification records
- File creation, deletion, packing/encoding indicators, and artifact metadata
Detection direction
- Do not rely on a SysUpdate signature alone; ATT&CK mapping indicates behaviors that may be packed, encoded, fileless, or masqueraded.
- Tune detections for chained behavior across discovery, persistence, C2, and cleanup rather than isolated administrative commands.
- Baseline legitimate WMI, registry, systemd, service, DNS, and file deletion activity to reduce false positives from normal administration.
- Confirm Linux visibility is sufficient for systemd service changes, process discovery, shared-memory or runtime-directory abuse, and DNS/network activity.
- Review DNS monitoring for C2-style use, including encoded data patterns, while accounting for high-volume legitimate DNS use.
Mitigation priorities
- Establish or verify endpoint logging coverage for Windows and Linux before relying on detection outcomes.
- Harden and monitor persistence surfaces: Windows Registry and services/tasks, plus Linux systemd units.
- Restrict and audit administrative execution paths such as WMI and service management according to least privilege.
- Improve DNS and egress monitoring so encoded C2, tool transfer, and exfiltration over C2 channels can be investigated.
- Add integrity monitoring or change control for critical service definitions, startup locations, and sensitive configuration paths.
Analyst notes and limits
The most decision-useful aspect of this ATT&CK object is the breadth of mapped behavior rather than the malware description itself. SysUpdate can serve as a control-validation scenario spanning endpoint detection, Linux monitoring, Windows management-plane abuse, DNS visibility, persistence governance, and exfiltration investigation. Local prioritization should consider whether the organization operates Windows and Linux assets in business-critical environments and whether existing telemetry can preserve evidence after file deletion or stealth techniques.
MITRE does not provide official detection guidance for SysUpdate in the supplied object, and tactics are not specified directly on the malware object. This take is derived from the official description, external references, platform fields, and ATT&CK relationships only. It does not assert current activity, customer exposure, guaranteed detection, or attribution for any incident without local evidence.
SysUpdate
SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.004 | DNS Sub-technique | SysUpdate has used DNS TXT requests as for its C2 communication.CitationLunghi Iron Tiger Linux |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | SysUpdate has used DES to encrypt all C2 communications.CitationLunghi Iron Tiger Linux |
| Enterprise | T1007 | System Service Discovery | SysUpdate can collect a list of services on a victim machine.CitationLunghi Iron Tiger Linux |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | SysUpdate can deobfuscate packed binaries in memory.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1680 | Local Storage Discovery | SysUpdate can collect a system's drive information.CitationTrend Micro Iron Tiger April 2021CitationLunghi Iron Tiger Linux |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | SysUpdate has used Base64 to encode its C2 traffic.CitationLunghi Iron Tiger Linux |
| Enterprise | T1033 | System Owner/User Discovery | SysUpdate can collect the username from a compromised host.CitationLunghi Iron Tiger Linux |
| Enterprise | T1057 | Process Discovery | SysUpdate can collect information about running processes.CitationLunghi Iron Tiger Linux |
| Enterprise | T1553.002 | Code Signing Sub-technique | SysUpdate has been signed with stolen digital certificates.CitationLunghi Iron Tiger Linux |
| Enterprise | T1005 | Data from Local System | SysUpdate can collect information and files from a compromised host.CitationLunghi Iron Tiger Linux |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | SysUpdate can store its encoded configuration file within |
| Enterprise | T1083 | File and Directory Discovery | SysUpdate can search files on a compromised host.CitationTrend Micro Iron Tiger April 2021CitationLunghi Iron Tiger Linux |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | SysUpdate can contact the DNS server operated by Google as part of its C2 establishment process.CitationLunghi Iron Tiger Linux |
| Enterprise | T1105 | Ingress Tool Transfer | SysUpdate has the ability to download files to a compromised host.CitationTrend Micro Iron Tiger April 2021CitationLunghi Iron Tiger Linux |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | SysUpdate has named their unit configuration file similarly to other unit files residing in the same directory, `/usr/lib/systemd/system/`, to appear benign.CitationLunghi Iron Tiger Linux |
| Enterprise | T1041 | Exfiltration Over C2 Channel | SysUpdate has exfiltrated data over its C2 channel.CitationLunghi Iron Tiger Linux |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | SysUpdate can encrypt and encode its configuration file.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1082 | System Information Discovery | SysUpdate can collect a system's architecture, operating system version, and hostname.CitationTrend Micro Iron Tiger April 2021CitationLunghi Iron Tiger Linux |
| Enterprise | T1113 | Screen Capture | SysUpdate has the ability to capture screenshots.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1543.002 | Systemd Service Sub-technique | SysUpdate can copy a script to the user owned `/usr/lib/systemd/system/` directory with a symlink mapped to a `root` owned directory, `/etc/ystem/system`, in the unit configuration file's `ExecStart` directive to establish persistence and elevate privileges.CitationLunghi Iron Tiger Linux |
| Enterprise | T1070.004 | File Deletion Sub-technique | SysUpdate can delete its configuration file from the targeted system.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1112 | Modify Registry | SysUpdate can write its configuration file to |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | SysUpdate has the ability to set file attributes to hidden.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1574.001 | DLL Sub-technique | SysUpdate can load DLLs through vulnerable legitimate executables.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | SysUpdate can use a Registry Run key to establish persistence.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | SysUpdate can collected the IP address and domain name of a compromised host.CitationLunghi Iron Tiger Linux |
| Enterprise | T1027.002 | Software Packing Sub-technique | SysUpdate has been packed with VMProtect.CitationTrend Micro Iron Tiger April 2021CitationLunghi Iron Tiger Linux |
| Enterprise | T1106 | Native API | SysUpdate can call the `GetNetworkParams` API as part of its C2 establishment process.CitationLunghi Iron Tiger Linux |
| Enterprise | T1569.002 | Service Execution Sub-technique | SysUpdate can manage services and processes.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1047 | Windows Management Instrumentation | SysUpdate can use WMI for execution on a compromised host.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1543.003 | Windows Service Sub-technique | SysUpdate can create a service to establish persistence.CitationTrend Micro Iron Tiger April 2021 |
Groups, software, and campaigns
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | c6a12330e34c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Iron Tiger April 2021
Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
Open source URL -
[2]
FOCUSFJORD
(Citation: Trend Micro Iron Tiger April 2021)
-
[3]
HyperSSL
(Citation: Trend Micro Iron Tiger April 2021)
-
[4]
Soldier
(Citation: Trend Micro Iron Tiger April 2021)
-
[5]
mitre-attack S0663Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.