Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1041: Chinoxy

Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.[1]

EnterpriseS1041MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Chinoxy is a Windows backdoor associated in ATT&CK with the FunnyDream campaign. Its business relevance is that it represents post-compromise access intended to persist and deliver additional payloads, so the key decision is not just “can we find this malware,” but whether Windows endpoint, registry, DLL, and file-obfuscation evidence is good enough to prove or disprove persistence and follow-on activity during an investigation.

Executive priority

Prioritize Chinoxy as an incident-readiness and control-validation issue for Windows environments, especially where government, foreign organization, or Southeast Asia-related exposure is relevant to risk discussions. Leaders should ask whether teams can rapidly validate Registry Run Key or Startup Folder persistence, suspicious DLL abuse, and encoded or obfuscated payloads, because those controls and evidence sources determine containment speed, audit defensibility, and confidence that additional payload delivery has been investigated.

Technical view

ATT&CK does not provide a dedicated detection section for Chinoxy, so SOC and IR validation should be built from the related behaviors: Windows persistence through Registry Run Keys or Startup Folder, DLL abuse for execution or stealth, encrypted or encoded files, and deobfuscation or decoding activity. Detection engineering should test whether endpoint telemetry captures registry autorun modifications, new or unusual startup-folder artifacts, DLL creation/loading from suspicious locations, files whose names or locations imitate legitimate resources, and decode/deobfuscation patterns tied to malware execution. Relationship context links Chinoxy to FunnyDream, but local investigation should treat that as context rather than proof of attribution.

Likely telemetry

  • Windows endpoint process creation and parent-child process relationships
  • Windows Registry changes, especially Run Keys and autorun-related locations
  • Startup Folder file creation or modification events
  • DLL file creation, modification, and load events
  • File path, filename, and resource-location metadata for masquerading-style review

Detection direction

  • Do not rely on malware name matching alone; validate behavior-based coverage for persistence, DLL abuse, and obfuscated-file handling.
  • Tune autorun detections to distinguish legitimate software installation or update activity from unexpected user-context persistence.
  • Review DLL detections for false positives from normal application loading while prioritizing unusual paths, newly written DLLs, and mismatched naming or location patterns.
  • Confirm that telemetry is retained long enough to reconstruct when persistence was created and whether additional payloads were dropped.
  • Use the FunnyDream relationship as threat-intelligence context for scoping, not as standalone attribution or confirmation of compromise.

Mitigation priorities

  • Harden and monitor Windows autorun locations, including Registry Run Keys and Startup Folders.
  • Apply least-privilege and application-control practices where feasible to reduce unauthorized persistence and payload execution.
  • Improve endpoint visibility for DLL loading and suspicious file placement or naming patterns.
  • Ensure IR playbooks include host isolation, persistence removal, payload scoping, and evidence preservation for Windows backdoor cases.
  • Maintain vulnerability and patch hygiene as supporting controls, while recognizing the supplied ATT&CK object emphasizes persistence, payload dropping, stealth, and DLL abuse rather than a specific exploit path.
Analyst notes and limits

The supplied ATT&CK record identifies Chinoxy as a backdoor used since at least November 2018 during FunnyDream, with reported use by Chinese-speaking threat actors. The actionable defensive value comes mainly from the technique relationships: encrypted or encoded files, deobfuscation, resource-name or location matching, Registry Run Key or Startup Folder persistence, and DLL abuse.

ATT&CK does not specify Chinoxy tactics on the malware object and provides no official detection guidance. The source material supplied supports Windows as the platform and the listed technique relationships, but does not support claims of current activity, guaranteed detection logic, customer exposure, or definitive attribution. Local telemetry and environment baselines are required to determine relevance and coverage.

Official MITRE ATT&CK definition

Chinoxy

Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1574.001 DLL Sub-technique

Chinoxy can use a digitally signed binary ("Logitech Bluetooth Wizard Host Process") to load its dll into memory.CitationBitdefender FunnyDream Campaign November 2020
Enterprise T1140 Deobfuscate/Decode Files or Information

The Chinoxy dropping function can initiate decryption of its config file.CitationBitdefender FunnyDream Campaign November 2020
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Chinoxy has established persistence via the `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` registry key and by loading a dropper to `(%COMMON_ STARTUP%\\eoffice.exe)`.CitationBitdefender FunnyDream Campaign November 2020
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

Chinoxy has encrypted its configuration file.CitationBitdefender FunnyDream Campaign November 2020
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

Chinoxy has used the name `eoffice.exe` in attempt to appear as a legitimate file.CitationBitdefender FunnyDream Campaign November 2020
Associated objects

Groups, software, and campaigns

Campaign Enterprise

C0007: FunnyDream

FunnyDream was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the FunnyDream campaign to possible Chinese-speaking threat actors through the use of the Chinoxy backdoor and noted infrastructure overlap with the TAG-16 threat group.[1][2][3]

Relationship explorer

All related ATT&CK context

uses · Technique T1574.001: DLL Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Campaign C0007: FunnyDream Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
971336b152fc9140...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 971336b152fc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Bitdefender FunnyDream Campaign November 2020

    Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.

    Open source URL
  2. [2]
    mitre-attack S1041
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use