S0695: Donut
Analyst context for executives and security teams
Donut matters because it represents a practical way to turn payloads into position-independent shellcode that can be loaded into memory on Windows systems. For leaders, the risk is not the tool name itself but the defensive gap it tests: whether the organization can see suspicious in-memory execution, process injection, obfuscated payload handling, and script-driven execution before an incident becomes a larger intrusion or ransomware response problem.
Executive priority
Prioritize Donut as a coverage-validation topic for endpoint visibility, SOC triage quality, and incident response readiness. ATT&CK links Donut to payload obfuscation, process injection, reflective code loading, command/script execution, tool transfer, web-protocol command and control, indicator removal, and defense impairment. Executives should ask whether current controls produce evidence for memory-centric activity, not just files written to disk, and whether audit/compliance evidence can demonstrate monitoring of script interpreters, native API abuse patterns, and security-tool tampering.
Technical view
Donut is a Windows tool in ATT&CK S0695 described as an open source framework for generating position-independent shellcode, with generated code used to inject and load malicious payloads into memory. No official detection text is provided, so SOC and detection teams should validate coverage through the related ATT&CK behaviors: T1055 Process Injection, T1620 Reflective Code Loading, T1027.002 Software Packing, T1027.013 Encrypted/Encoded File, T1027.015 Compression, T1059 and sub-techniques for PowerShell, Visual Basic, Python, and JavaScript execution, T1106 Native API, T1105 Ingress Tool Transfer, T1071.001 Web Protocols, T1070 Indicator Removal, T1057 Process Discovery, and T1685 Disable or Modify Tools. Treat the Indrik Spider relationship as ATT&CK context, not proof of local activity.
Likely telemetry
- Endpoint process creation and parent/child process lineage on Windows
- Script interpreter telemetry for PowerShell, Visual Basic/JScript, Python, and JavaScript runtimes where present
- Endpoint detection events for process injection, reflective loading, suspicious memory allocation/execution, and native API usage
- File and archive telemetry for packed, compressed, encrypted, or encoded payload artifacts
- Network telemetry for HTTP/S or other web-protocol command-and-control-like patterns
Detection direction
- Validate detections against behavior chains rather than the Donut name alone: script execution or tool transfer followed by obfuscated payload handling and memory execution is more durable than static signatures.
- Tune for suspicious Windows process injection and reflective loading indicators, while accounting for legitimate administrative, security, and software-updater activity that can create false positives.
- Correlate encoded/compressed/packed artifacts with subsequent script interpreter activity, native API use, or abnormal child processes.
- Review visibility gaps where payloads may execute primarily in memory and leave limited file artifacts.
- Monitor security tooling degradation or tampering as a high-priority companion signal because ATT&CK relates the object to defense impairment.
Mitigation priorities
- Start with telemetry assurance: confirm Windows endpoints, script interpreters, network egress, and security-tool health all produce usable logs for SOC and IR workflows.
- Harden and monitor script execution paths, especially PowerShell and Windows scripting components, using organization-approved policy controls and logging.
- Reduce unnecessary interpreter and tooling exposure on systems where those capabilities are not operationally required.
- Strengthen endpoint controls that can inspect or alert on injection, reflective loading, suspicious memory execution, and tool tampering.
- Apply egress monitoring and control for web-protocol traffic patterns that do not match expected business behavior.
Analyst notes and limits
ATT&CK provides no official detection guidance for Donut, so this take derives defensive direction from the official description, Windows platform field, external references, and ATT&CK relationships. The practical value is to use Donut as a test case for memory-execution and obfuscation coverage across SOC, IR, endpoint, and network teams.
This summary does not establish current exploitation, customer exposure, or guaranteed detectability. Relationship data indicates ATT&CK associations, including Indrik Spider use, but local attribution and impact require environment-specific evidence. Some related techniques span platforms beyond Windows, while the Donut software object itself is supplied here with Windows as its platform.
Donut
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070 | Indicator Removal | Donut can erase file references to payloads in-memory after being reflectively loaded and executed.CitationDonut Github |
| Enterprise | T1059.006 | Python Sub-technique | Donut can generate shellcode outputs that execute via Python.CitationDonut Github |
| Enterprise | T1055 | Process Injection | Donut includes a subproject |
| Enterprise | T1059 | Command and Scripting Interpreter | Donut can generate shellcode outputs that execute via Ruby.CitationDonut Github |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Donut can generate shellcode outputs that execute via VBScript.CitationDonut Github |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.CitationDonut Github |
| Enterprise | T1057 | Process Discovery | Donut includes subprojects that enumerate and identify information about Process Injection candidates.CitationDonut Github |
| Enterprise | T1027.002 | Software Packing Sub-technique | Donut can generate packed code modules.CitationDonut Github |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Donut can use HTTP to download previously staged shellcode payloads.CitationDonut Github |
| Enterprise | T1059.007 | JavaScript Sub-technique | Donut can generate shellcode outputs that execute via JavaScript or JScript.CitationDonut Github |
| Enterprise | T1106 | Native API | Donut code modules use various API functions to load and inject code.CitationDonut Github |
| Enterprise | T1620 | Reflective Code Loading | Donut can generate code modules that enable in-memory execution of VBScript, JScript, EXE, DLL, and dotNET payloads.CitationDonut Github |
| Enterprise | T1685 | Disable or Modify Tools | Donut can patch Antimalware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), as well as exit-related Native API functions to avoid process termination.CitationDonut Github |
| Enterprise | T1027.015 | Compression Sub-technique | Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.CitationDonut Github |
| Enterprise | T1059.001 | PowerShell Sub-technique | Donut can generate shellcode outputs that execute via PowerShell.CitationDonut Github |
| Enterprise | T1105 | Ingress Tool Transfer | Donut can download and execute previously staged shellcode payloads.CitationDonut Github |
Groups, software, and campaigns
G0119: Indrik Spider
Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2cec1ba9d322… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Donut Github
TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
Open source URL -
[2]
Introducing Donut
The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021.
Open source URL -
[3]
NCC Group WastedLocker June 2020
Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
Open source URL -
[4]
mitre-attack S0695Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.