Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1051: KEYPLUG

KEYPLUG is a modular backdoor written in C++, with Windows and Linux variants, that has been used by APT41 since at least June 2021.[1]

EnterpriseS1051MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

KEYPLUG is a reported modular C++ backdoor with Windows and Linux variants associated in ATT&CK with APT41 and campaign C0017. Its business significance is not just the malware name: the supplied relationships point to command-and-control that can blend into web traffic, use proxies, non-application protocols, dead drop resolvers, and cryptography, making incident scoping and egress visibility especially important.

Executive priority

Treat KEYPLUG as a validation case for resilience against post-compromise backdoors on both Windows and Linux, especially where Internet-facing web applications are part of the attack surface. Leaders should ask whether vulnerable external applications are prioritized quickly, whether SOC teams can investigate suspicious outbound communications beyond simple domain blocking, and whether audit evidence exists for endpoint, proxy, DNS, firewall, and network telemetry retention.

Technical view

ATT&CK provides no official detection text for KEYPLUG, so defenders should build coverage from the related techniques: encrypted or encoded files, deobfuscation/decoding, web protocol C2, proxy use, non-application-layer communications, dead drop resolver behavior, asymmetric cryptography, and system time discovery. Validate coverage across Windows and Linux hosts, with emphasis on unusual outbound patterns, encoded artifacts, process-to-network correlations, and systems contacting legitimate external services that may redirect or point to C2 infrastructure.

Likely telemetry

  • Windows and Linux endpoint process execution and file creation/modification telemetry
  • EDR or host logs showing suspicious decoding/deobfuscation behavior and encoded or encrypted artifacts
  • Web proxy, secure web gateway, firewall, and NetFlow records for outbound web protocol traffic
  • DNS logs and external service access records relevant to possible dead drop resolver behavior
  • Network telemetry for proxying, tunneled, UDP, ICMP, SOCKS, or other non-standard outbound communications

Detection direction

  • Do not rely on a KEYPLUG signature alone; ATT&CK does not provide detection logic for this object.
  • Tune analytics around rare or newly observed outbound destinations, unusual user-agent or protocol patterns, and processes making network connections inconsistent with their role.
  • Correlate encoded/encrypted files with subsequent decode/deobfuscation activity and outbound network sessions.
  • Review visibility gaps for Linux servers, since KEYPLUG is documented with both Linux and Windows variants.
  • Account for false positives from legitimate encrypted traffic, proxies, system administration tools, and normal web services; prioritize correlations across host and network evidence.

Mitigation priorities

  • Prioritize vulnerability management and rapid remediation for Internet-facing web applications, reflecting the supplied C0017 campaign context.
  • Enforce controlled outbound access through monitored proxies or gateways where operationally feasible.
  • Maintain endpoint protection and logging coverage on both Windows and Linux systems, including servers that often have weaker telemetry.
  • Harden egress filtering and alerting for unusual web, proxy, and non-application-layer communications.
  • Preserve sufficient logs for incident response scoping, including endpoint, DNS, proxy, firewall, and network-flow data.
Analyst notes and limits

The most decision-relevant ATT&CK context is KEYPLUG’s association with APT41, its use in C0017, its Windows and Linux variants, and its relationships to multiple command-and-control and stealth techniques. This makes it useful as a control validation scenario for egress monitoring, Linux endpoint visibility, and exploit-to-backdoor incident response readiness.

The supplied ATT&CK object does not include official detection guidance, aliases, labels, or object-level tactics. This take therefore avoids asserting specific indicators, active exploitation, guaranteed detection, or customer exposure. Local environment baselines and telemetry quality are required to determine actual coverage.

Official MITRE ATT&CK definition

KEYPLUG

KEYPLUG is a modular backdoor written in C++, with Windows and Linux variants, that has been used by APT41 since at least June 2021.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

8 rows
Domain ID Name Relationship / procedure
Enterprise T1071.001 Web Protocols Sub-technique

KEYPLUG has the ability to communicate over HTTP and WebSocket Protocol (WSS) for C2.CitationMandiant APT41
Enterprise T1124 System Time Discovery

KEYPLUG can obtain the current tick count of an infected computer.CitationMandiant APT41
Enterprise T1102.001 Dead Drop Resolver Sub-technique

The KEYPLUG Windows variant has retrieved C2 addresses from encoded data in posts on tech community forums.CitationMandiant APT41
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

KEYPLUG can use a hardcoded one-byte XOR encoded configuration file.CitationMandiant APT41
Enterprise T1140 Deobfuscate/Decode Files or Information

KEYPLUG can decode its configuration file to determine C2 protocols.CitationMandiant APT41
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

KEYPLUG can use TLS-encrypted WebSocket Protocol (WSS) for C2.CitationMandiant APT41
Enterprise T1090 Proxy

KEYPLUG has used Cloudflare CDN associated infrastructure to redirect C2 communications to malicious domains.CitationMandiant APT41
Enterprise T1095 Non-Application Layer Protocol

KEYPLUG can use TCP and KCP (KERN Communications Protocol) over UDP for C2 communication.CitationMandiant APT41
Associated objects

Groups, software, and campaigns

Group Enterprise

G0096: APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]

Campaign Enterprise

C0017: C0017

C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).[1]

Relationship explorer

All related ATT&CK context

uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1124: System Time Discovery Enterprise uses · Technique T1102.001: Dead Drop Resolver Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Group G0096: APT41 Enterprise uses · Campaign C0017: C0017 Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Technique T1090: Proxy Enterprise uses · Technique T1095: Non-Application Layer Protocol Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
cdc6c85236bd3f98...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle cdc6c85236bd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Mandiant APT41

    Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.

    Open source URL
  2. [2]
    KEYPLUG.LINUX

    (Citation: Mandiant APT41)

  3. [3]
    mitre-attack S1051
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use