S0696: Flagpro
Analyst context for executives and security teams
Flagpro matters because ATT&CK describes it as a Windows first-stage downloader associated with follow-on discovery, persistence, command-and-control, tool transfer, and possible data collection/exfiltration behaviors. For leaders, the key decision is not whether one malware name is present, but whether email, endpoint, registry, and web egress controls can expose an early foothold before it becomes broader intrusion activity.
Executive priority
Prioritize validation where business disruption would be highest: Windows endpoints receiving attachments, users with access to sensitive local or shared data, and networks where outbound web traffic is weakly monitored. The ATT&CK description notes historical use against defense, media, and communications companies in Japan, so organizations with similar sector, geography, or partner exposure should ensure incident response playbooks can rapidly answer: how did the file execute, what persistence was created, what discovery ran, and whether data moved over web-based C2.
Technical view
Treat Flagpro coverage as a Windows intrusion-chain validation exercise. ATT&CK provides no official detection text, so SOC teams should map detections to the relationships: spearphishing attachment and malicious file execution; Windows command shell, Visual Basic, and Native API execution; Registry Run Keys/Startup Folder persistence; local user/group, process, window, network, remote system, and share discovery; obfuscation/masquerading/indicator removal; web-protocol C2 with standard encoding; ingress tool transfer; local data collection; and scheduled or C2-channel exfiltration. Because several related techniques have broader platform metadata, keep this object’s implementation scope constrained to the supplied Windows malware platform unless local evidence shows otherwise.
Likely telemetry
- Email gateway and attachment metadata, including sender, recipient, attachment type, detonation results, and user interaction where available
- Endpoint process creation telemetry with command line, parent/child process relationships, script interpreter activity, and module/API-related signals where collected
- Windows registry and startup folder change events, especially Run key creation or modification
- File creation, rename, deletion, and download events that can support obfuscation, masquerading, ingress transfer, and indicator-removal review
- Endpoint discovery evidence: user/group queries, process listings, network configuration and connection queries, remote host discovery, and network share enumeration
Detection direction
- Validate chained analytics rather than relying on a single malware signature: attachment execution followed by script or command shell activity, discovery commands, persistence writes, and outbound web traffic is more decision-useful than any one event alone.
- Tune discovery detections for context. Administrative tools can legitimately enumerate processes, users, network connections, and shares; raise priority when these occur from unusual parent processes, recently delivered files, uncommon users, or shortly before outbound transfers.
- Confirm whether registry Run key and startup folder auditing is enabled on Windows endpoints; this is a common blind spot for persistence triage.
- Review web egress visibility. Standard encoding and HTTP/S-based C2 can blend with normal traffic, so proxy/DNS logs, destination reputation, request periodicity, and endpoint-to-network correlation are important.
- Account for sparse official detection guidance. Detection engineering should be validated through local telemetry tests and incident retrospectives, not assumed from ATT&CK mapping alone.
Mitigation priorities
- Reduce initial execution risk through attachment filtering, safe handling controls, user reporting workflows, and restrictions on high-risk file types where operationally feasible.
- Harden Windows endpoints by limiting unnecessary script and command interpreter use, enforcing least privilege, and monitoring or controlling startup persistence locations.
- Strengthen egress governance: route outbound web traffic through monitored control points, restrict unnecessary direct Internet access, and retain sufficient proxy/DNS metadata for investigations.
- Review local administrator exposure and local group membership because discovery of users and groups can help an intruder identify higher-value accounts.
- Prepare IR runbooks that collect process trees, registry persistence, recently created files, outbound destinations, and data access evidence from affected Windows systems before evidence is lost.
Analyst notes and limits
This take is based on the supplied ATT&CK S0696 object, its external NTT Security reference, and the listed relationships. The most operationally useful context comes from the relationships: Flagpro is not just a downloader label; it is mapped to behaviors spanning initial access, execution, persistence, discovery, defense evasion, command-and-control, collection, transfer, and exfiltration-related activity.
ATT&CK provides no official detection guidance for this object, no aliases in the supplied fields, and no object-level tactics. The description supports Windows as the platform and historical use by BlackTech since at least October 2020, primarily against defense, media, and communications companies in Japan; it does not by itself prove current activity, local exposure, or detection coverage in any environment.
Flagpro
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Flagpro has encoded bidirectional data communications between a target system and C2 server using Base64.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1010 | Application Window Discovery | Flagpro can check the name of the window displayed on the system.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1029 | Scheduled Transfer | Flagpro has the ability to wait for a specified time interval between communicating with and executing commands from C2.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | Flagpro can check whether the target system is using Japanese, Taiwanese, or English through detection of specific Windows Security and Internet Explorer dialog.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Flagpro can execute malicious VBA macros embedded in .xlsm files.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Flagpro can use `cmd.exe` to execute commands received from C2.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | Flagpro has been delivered within ZIP or RAR password-protected archived files.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1005 | Data from Local System | Flagpro can collect data from a compromised host, including Windows authentication information.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1036 | Masquerading | Flagpro can download malicious files with a .tmp extension and append them with .exe prior to execution.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Flagpro has relied on users clicking a malicious attachment delivered through spearphishing.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Flagpro can download additional malware from the C2 server.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Flagpro has dropped an executable file to the startup directory.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Flagpro can communicate with its C2 using HTTP.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1018 | Remote System Discovery | Flagpro has been used to execute |
| Enterprise | T1069.001 | Local Groups Sub-technique | Flagpro has been used to execute the |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Flagpro has exfiltrated data to the C2 server.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1033 | System Owner/User Discovery | Flagpro has been used to run the |
| Enterprise | T1135 | Network Share Discovery | Flagpro has been used to execute `net view` to discover mapped network shares.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Flagpro has been used to execute the |
| Enterprise | T1106 | Native API | Flagpro can use Native API to enable obfuscation including `GetLastError` and `GetTickCount`.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Flagpro has been distributed via spearphishing as an email attachment.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1070 | Indicator Removal | Flagpro can close specific Windows Security and Internet Explorer dialog boxes to mask external connections.CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1049 | System Network Connections Discovery | Flagpro has been used to execute |
| Enterprise | T1057 | Process Discovery | Flagpro has been used to run the |
Groups, software, and campaigns
G0098: BlackTech
BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 679422ac9ec1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NTT Security Flagpro new December 2021
Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
Open source URL -
[2]
mitre-attack S0696Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.