S1052: DEADEYE
Analyst context for executives and security teams
DEADEYE matters because it is a Windows malware launcher associated in ATT&CK with APT41 activity and a campaign against U.S. state government networks. Its value to an attacker is not a single action but the ability to carry and launch payloads while using obfuscation, masquerading, command shell execution, and trusted Windows utilities such as msiexec and rundll32. For leaders, this makes it a test of whether endpoint, SOC, and incident response programs can see suspicious launch chains rather than only known malware names.
Executive priority
Prioritize DEADEYE as a resilience and readiness issue where Windows servers or workstations are exposed to post-compromise activity, especially in environments with Internet-facing web applications. The ATT&CK relationship to campaign C0017 highlights the business importance of vulnerability management on externally reachable applications, rapid investigation after exploit activity, and evidence that endpoint telemetry can reconstruct payload launch, discovery, and defense-evasion behavior. Executives should ask whether teams can prove visibility into suspicious Windows installer, DLL execution, command shell, file obfuscation, and service/task naming patterns during an incident.
Technical view
ATT&CK lists DEADEYE as a Windows malware launcher with DEADEYE.EMBED and DEADEYE.APPEND variants, and relates it to techniques including Embedded Payloads, Encrypted/Encoded File, Deobfuscate/Decode Files or Information, Masquerade Task or Service, Windows Command Shell, Native API, Msiexec, Rundll32, Execution Guardrails, NTFS File Attributes, System Information Discovery, and System Network Configuration Discovery. Because no official ATT&CK detection text is provided, SOC validation should focus on behavior-chain coverage: creation or execution of unusual embedded/appended payload files, suspicious cmd.exe activity, msiexec.exe or rundll32.exe launching unexpected local or network content, anomalous service or scheduled task naming, discovery commands, and file artifacts that may use NTFS attributes or obfuscation.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Parent-child process relationships involving cmd.exe, msiexec.exe, rundll32.exe, services, and scheduled task mechanisms
- File creation, modification, and execution metadata for binaries, DLLs, MSI content, and files with appended or embedded payload characteristics
- Endpoint detection telemetry for encoded, encrypted, decoded, or deobfuscated content
- Windows service and scheduled task creation or modification logs
Detection direction
- Validate detections around suspicious use of msiexec.exe and rundll32.exe, with tuning for legitimate software installation and administration activity.
- Correlate payload execution with preceding file writes, decode/deobfuscation behavior, and command shell activity rather than relying on file names or signatures alone.
- Review service and task names for masquerading, especially names that imitate legitimate Windows or enterprise software components.
- Hunt for discovery behavior on Windows hosts after suspected initial access, including system and network configuration enumeration.
- Include file-analysis workflows that can inspect binaries or files for embedded, appended, encoded, or encrypted content.
Mitigation priorities
- Reduce the chance of related campaign-style intrusion by prioritizing remediation and monitoring of vulnerable Internet-facing web applications.
- Harden Windows execution paths by reviewing controls around script and command shell use, DLL execution, installer execution, and untrusted payload launch.
- Limit unnecessary administrative privileges and service/task creation rights on Windows systems.
- Ensure endpoint logging and EDR policies capture command lines, process ancestry, file events, service/task changes, and relevant NTFS artifact visibility.
- Prepare incident response playbooks that collect payload files, process trees, service/task data, and web application evidence before systems are rebuilt.
Analyst notes and limits
The strongest decision value is in the relationships: DEADEYE is a launcher, and ATT&CK links it to payload hiding, encoded content, proxy execution through Windows utilities, discovery, guardrails, and masquerading. The C0017 relationship also connects the malware to a campaign involving exploitation of vulnerable Internet-facing web applications, which makes vulnerability management and post-exploitation monitoring relevant defensive priorities.
MITRE provides no official detection guidance for this object, no aliases, and no object-level tactics. The platform field supports Windows for DEADEYE; related techniques may list additional platforms, but those should not be assumed for this malware without local evidence. This summary does not establish current activity, customer exposure, or guaranteed detection coverage.
DEADEYE
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | DEADEYE has encrypted its payload.CitationMandiant APT41 |
| Enterprise | T1480 | Execution Guardrails | DEADEYE can ensure it executes only on intended systems by identifying the victim's volume serial number, hostname, and/or DNS domain.CitationMandiant APT41 |
| Enterprise | T1218.007 | Msiexec Sub-technique | DEADEYE can use `msiexec.exe` for execution of malicious DLL.CitationMandiant APT41 |
| Enterprise | T1082 | System Information Discovery | DEADEYE can enumerate a victim computer's volume serial number and host name.CitationMandiant APT41 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | The DEADEYE.EMBED variant of DEADEYE has the ability to embed payloads inside of a compiled binary.CitationMandiant APT41 |
| Enterprise | T1106 | Native API | DEADEYE can execute the `GetComputerNameA` and `GetComputerNameExA` WinAPI functions.CitationMandiant APT41 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | DEADEYE can use `rundll32.exe` for execution of living off the land binaries (lolbin) such as `SHELL32.DLL`.CitationMandiant APT41 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | DEADEYE can run `cmd /c copy /y /b C:\Users\public\syslog_6-*.dat C:\Users\public\syslog.dll` to combine separated sections of code into a single DLL prior to execution.CitationMandiant APT41 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | DEADEYE has the ability to combine multiple sections of a binary which were broken up to evade detection into a single .dll prior to execution.CitationMandiant APT41 |
| Enterprise | T1016 | System Network Configuration Discovery | DEADEYE can discover the DNS domain name of a targeted system.CitationMandiant APT41 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | DEADEYE has used `schtasks /change` to modify scheduled tasks including `\Microsoft\Windows\PLA\Server Manager Performance Monitor`, `\Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults`, and `\Microsoft\Windows\WDI\USOShared`.CitationMandiant APT41 |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | The DEADEYE.EMBED variant of DEADEYE can embed its payload in an alternate data stream of a local file.CitationMandiant APT41 |
Groups, software, and campaigns
C0017: C0017
C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 507a152cf9c6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant APT41
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
Open source URL -
[2]
DEADEYE.APPEND
(Citation: Mandiant APT41)
-
[3]
DEADEYE.EMBED
(Citation: Mandiant APT41)
-
[4]
mitre-attack S1052Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.