S1044: FunnyDream
FunnyDream is a backdoor with multiple components that was used during the FunnyDream campaign since at least 2019, primarily for execution and exfiltration.[1]
Analyst context for executives and security teams
FunnyDream is a Windows backdoor described by ATT&CK as a multi-component tool used in the FunnyDream campaign since at least 2019, primarily for execution and exfiltration. Its ATT&CK relationships matter because they span discovery, command execution, credential collection via keylogging, data staging, C2 obfuscation/proxying, tool transfer, and exfiltration over the C2 channel. For leaders, the practical issue is not just one malware family; it is whether Windows endpoint, identity, network, and incident-response telemetry can reconstruct a full intrusion path when a backdoor blends command execution, collection, and cleanup.
Executive priority
Prioritize FunnyDream as a validation case for resilience against espionage-style backdoor activity on Windows systems. The decision value is in confirming whether the organization can detect and investigate suspicious WMI or command-shell execution, discovery activity, removable-media and local-data collection, unusual C2 channels, and exfiltration over existing C2. This supports budget and audit conversations around endpoint logging, network visibility, identity monitoring, egress controls, and incident-response readiness rather than relying on malware-name-based detection alone.
Technical view
ATT&CK provides no dedicated detection text for S1044, so defenders should map coverage to the related techniques. Validate Windows telemetry for command execution through Windows Command Shell and WMI, registry queries, process/window/user/network/file discovery, DLL injection indicators, keylogging-related behavior, masqueraded tasks or services, local staging, file deletion, tool transfer, proxy use, non-application-layer C2, data obfuscation, and exfiltration over C2. SOC teams should correlate host process ancestry, service/task creation or naming anomalies, registry access, file staging/deletion, removable-media access, and outbound network behavior rather than expecting a single signature to be sufficient.
Likely telemetry
- Windows endpoint process creation and command-line logging
- WMI activity and remote/local management event logs
- Registry query and modification telemetry
- Service and scheduled task creation or change records
- File creation, staging, access, and deletion events
Detection direction
- Build detections around behavior clusters: discovery followed by collection/staging, tool transfer, and outbound C2/exfiltration activity.
- Tune Windows Command Shell and WMI analytics for unusual parent processes, uncommon administrative context, suspicious command sequences, or activity outside normal admin baselines.
- Review service/task names for masquerading, especially names that imitate legitimate services but have unusual paths, owners, descriptions, or creation times.
- Correlate file deletion with prior tool drops, staging directories, or execution events to reduce blind spots caused by indicator removal.
- Monitor for outbound traffic that does not match expected application-layer patterns, proxy-like behavior, or encoded/obfuscated C2 content; account for legitimate administrative and network tools to manage false positives.
Mitigation priorities
- Ensure Windows endpoint logging and EDR coverage is sufficient before relying on alerting for this behavior set.
- Restrict and monitor administrative execution paths such as WMI and command shell use, with documented exceptions for legitimate operations.
- Harden service and scheduled task creation permissions and review change-control evidence for new or modified persistence-like entries.
- Apply egress filtering and network monitoring to make proxying, unusual protocols, and C2-based exfiltration harder to hide.
- Protect sensitive data locations and removable-media workflows with access controls, monitoring, and least-privilege practices.
Analyst notes and limits
The strongest defensive use of this object is as a coverage checklist for Windows backdoor tradecraft tied to the FunnyDream campaign relationship and the listed ATT&CK techniques. The supplied campaign context notes suspected espionage targeting of government and foreign organizations in parts of Southeast Asia, but local relevance should be determined through sector, geography, exposure, and telemetry review.
ATT&CK lists the malware platform as Windows and provides no official detection section, aliases, labels, or object-level tactics. Technique relationships provide useful behavioral context, but they do not prove the same activity is present in every environment or that existing tools will detect it. Local baselines, logging quality, and incident evidence are required for prioritization.
FunnyDream
FunnyDream is a backdoor with multiple components that was used during the FunnyDream campaign since at least 2019, primarily for execution and exfiltration.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1543.003 | Windows Service Sub-technique | FunnyDream has established persistence by running `sc.exe` and by setting the `WSearch` service to run automatically.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | FunnyDream can use a Registry Run Key and the Startup folder to establish persistence.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1047 | Windows Management Instrumentation | FunnyDream can use WMI to open a Windows command shell on a remote machine.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1120 | Peripheral Device Discovery | The FunnyDream FilepakMonitor component can detect removable drive insertion.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | FunnyDream can stage collected information including screen captures and logged keystrokes locally.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | FunnyDream can use com objects identified with `CLSID_ShellLink`(`IShellLink` and `IPersistFile`) and `WScript.Shell`(`RegWrite` method) to enable persistence mechanisms.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | FunnyDream can use `rundll32` for execution of its components.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | The FunnyDream FilepakMonitor component can inject into the Bka.exe process using the `VirtualAllocEx`, `WriteProcessMemory` and `CreateRemoteThread` APIs to load the DLL component.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1572 | Protocol Tunneling | FunnyDream can connect to HTTP proxies via TCP to create a tunnel to C2.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1057 | Process Discovery | FunnyDream has the ability to discover processes, including `Bka.exe` and `BkavUtil.exe`.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | FunnyDream has used a service named `WSearch` for execution.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | FunnyDream can execute commands, including gathering user information, and send the results to C2.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1018 | Remote System Discovery | FunnyDream can collect information about hosts on the victim network.CitationKaspersky APT Trends Q1 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | The FunnyDream Keyrecord component can capture keystrokes.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | FunnyDream can parse the `ProxyServer` string in the Registry to discover http proxies.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1033 | System Owner/User Discovery | FunnyDream has the ability to gather user information from the targeted system using `whoami/upn&whoami/fqdn&whoami/logonid&whoami/all`.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1124 | System Time Discovery | FunnyDream can check system time to help determine when changes were made to specified files.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1012 | Query Registry | FunnyDream can check `Software\Microsoft\Windows\CurrentVersion\Internet Settings` to extract the `ProxyServer` string.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1119 | Automated Collection | FunnyDream can monitor files for changes and automatically collect them.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1113 | Screen Capture | The FunnyDream ScreenCap component can take screenshots on a compromised host.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1090 | Proxy | FunnyDream can identify and use configured proxies in a compromised network for C2 communication.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1560.002 | Archive via Library Sub-technique | FunnyDream has compressed collected files with zLib.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | FunnyDream can download additional files onto a compromised host.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1070 | Indicator Removal | FunnyDream has the ability to clean traces of malware deployment.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1106 | Native API | FunnyDream can use Native API for defense evasion, discovery, and collection.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1005 | Data from Local System | FunnyDream can upload files from victims' machines.CitationBitdefender FunnyDream Campaign November 2020CitationKaspersky APT Trends Q1 2020 |
| Enterprise | T1001 | Data Obfuscation | FunnyDream can send compressed and obfuscated packets to C2.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | FunnyDream has compressed collected files with zLib and encrypted them using an XOR operation with the string key from the command line or `qwerasdf` if the command line argument doesn’t contain the key. File names are obfuscated using XOR with the same key as the compressed file content.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1025 | Data from Removable Media | The FunnyDream FilePakMonitor component has the ability to collect files from removable devices.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | FunnyDream can identify the processes for Bkav antivirus.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | FunnyDream can use `cmd.exe` for execution on remote hosts.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | FunnyDream can Base64 encode its C2 address stored in a template binary with the `xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_-` or `xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_=` character sets.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1680 | Local Storage Discovery | FunnyDream can enumerate all logical drives on a targeted machine.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | FunnyDream can delete files including its dropper component.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1083 | File and Directory Discovery | FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1095 | Non-Application Layer Protocol | FunnyDream can communicate with C2 over TCP and UDP.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1010 | Application Window Discovery | FunnyDream has the ability to discover application windows via execution of `EnumWindows`.CitationBitdefender FunnyDream Campaign November 2020 |
Groups, software, and campaigns
C0007: FunnyDream
FunnyDream was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the FunnyDream campaign to possible Chinese-speaking threat actors through the use of the Chinoxy backdoor and noted infrastructure overlap with the TAG-16 threat group.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | c4847b4261b4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Bitdefender FunnyDream Campaign November 2020
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
Open source URL -
[2]
mitre-attack S1044Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.