S1086: Snip3
Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including AsyncRAT, Revenge RAT, Agent Tesla, and NETWIRE.[1][2]
Analyst context for executives and security teams
Snip3 matters because it is described by ATT&CK as a Windows crypter-as-a-service used to obfuscate and load multiple commodity RAT families, including AsyncRAT, Revenge RAT, Agent Tesla, and NETWIRE. For leaders, the risk is not only one malware name; it is the defensive gap created when loaders, obfuscation, user-driven execution, and multi-stage command-and-control allow familiar malware to bypass static controls.
Executive priority
Prioritize Snip3 as a control-validation use case for phishing resilience, Windows endpoint visibility, script/WMI governance, and egress monitoring. The relationship to TA2541, a group described as targeting aviation, aerospace, transportation, manufacturing, and defense with high-volume commodity RAT campaigns, makes this especially relevant for organizations where remote access malware could affect business continuity, regulated operations, or cyber-physical risk. Budget and audit conversations should focus on whether controls detect the behavior chain, not whether a known hash is blocked.
Technical view
ATT&CK provides no official detection text for Snip3, so SOC and detection teams should validate coverage against the related techniques: obfuscated files and binary padding, PowerShell and Visual Basic execution, WMI execution, process hollowing, system and time-based anti-analysis checks, deobfuscation, Run Key/Startup Folder persistence, hidden windows, ingress tool transfer, web-service C2, multi-stage channels, drive-by compromise, malicious links/files, and spearphishing links/attachments. Treat Snip3 as a loader/crypter behavior cluster on Windows and correlate initial email or web activity with script execution, suspicious process ancestry, persistence creation, payload download, and outbound web-service communications.
Likely telemetry
- Email security and mail gateway records for spearphishing attachments and links
- Web proxy, DNS, and secure web gateway logs for malicious links, drive-by activity, downloads, and outbound web-service C2
- Windows process creation telemetry, including parent-child relationships for script interpreters, WMI, and spawned payloads
- PowerShell logging and command-line telemetry where enabled
- WMI activity logs and endpoint management telemetry
Detection direction
- Build detections around behavior chains rather than single indicators: phishing or web delivery followed by script/WMI execution, deobfuscation, process hollowing, persistence, and outbound C2.
- Validate that Windows telemetry captures command lines, script content where appropriate, registry changes, file writes, and process ancestry; missing any of these can make loader activity appear as isolated benign events.
- Tune PowerShell, Visual Basic, WMI, and hidden-window detections against legitimate administrative activity to reduce false positives without suppressing rare or risky combinations.
- Review file-size limits and static-scanning assumptions because binary padding and obfuscation can weaken hash-based or size-limited controls.
- Account for sandbox blind spots: system checks and time-based checks may cause samples to alter behavior during automated analysis.
Mitigation priorities
- Strengthen phishing and web-delivery controls first: attachment/link inspection, browser and document handling policy, and user reporting workflows for malicious files and links.
- Harden Windows execution paths used in the related techniques, including script interpreter governance, PowerShell controls, WMI monitoring, and least-privilege administration.
- Monitor and restrict persistence mechanisms such as Registry Run Keys and Startup Folder entries where operationally feasible.
- Ensure endpoint controls can inspect or alert on obfuscation, process hollowing, suspicious child processes, and staged payload downloads rather than relying only on known hashes.
- Improve outbound control and monitoring for unusual web-service use, multi-stage C2 patterns, and ingress tool transfer.
Analyst notes and limits
This take is based on ATT&CK S1086 for Snip3, its cited external references, and supplied relationships. The most decision-useful context is that Snip3 is a crypter/loader associated with obfuscation and delivery of multiple RAT families, with relationships spanning phishing, user execution, Windows scripting/WMI, stealth, persistence, and command-and-control behaviors.
ATT&CK does not provide official detection guidance for Snip3, and the object lists no explicit tactics. The malware platform is Windows, while some related techniques list broader platforms; platform-specific conclusions should therefore be limited to the supplied Snip3 platform and validated locally. No claim is made that any organization is exposed or that any detection is guaranteed.
Snip3
Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including AsyncRAT, Revenge RAT, Agent Tesla, and NETWIRE.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Snip3 can decode its second-stage PowerShell script prior to execution.CitationMorphisec Snip3 May 2021 |
| Enterprise | T1102 | Web Service | Snip3 can download additional payloads from web services including Pastebin and top4top.CitationMorphisec Snip3 May 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Snip3 can use visual basic scripts for first-stage execution.CitationMorphisec Snip3 May 2021CitationTelefonica Snip3 December 2021 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Snip3 can use RunPE to execute malicious payloads within a hollowed Windows process.CitationMorphisec Snip3 May 2021CitationTelefonica Snip3 December 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | Snip3 has the ability to obfuscate strings using XOR encryption.CitationMorphisec Snip3 May 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Snip3 can create a VBS file in startup to persist after system restarts.CitationTelefonica Snip3 December 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Snip3 can gain execution through the download of visual basic files.CitationMorphisec Snip3 May 2021CitationTelefonica Snip3 December 2021 |
| Enterprise | T1082 | System Information Discovery | Snip3 has the ability to query `Win32_ComputerSystem` for system information. CitationMorphisec Snip3 May 2021 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Snip3 has been executed through luring victims into clicking malicious links.CitationTelefonica Snip3 December 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Snip3 has been delivered to victims through malicious e-mail attachments.CitationTelefonica Snip3 December 2021 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | Snip3 can execute `WScript.Sleep` to delay execution of its second stage.CitationMorphisec Snip3 May 2021 |
| Enterprise | T1047 | Windows Management Instrumentation | Snip3 can query the WMI class `Win32_ComputerSystem` to gather information.CitationMorphisec Snip3 May 2021 |
| Enterprise | T1104 | Multi-Stage Channels | Snip3 can download and execute additional payloads and modules over separate communication channels.CitationMorphisec Snip3 May 2021CitationTelefonica Snip3 December 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Snip3 can download additional payloads to compromised systems.CitationMorphisec Snip3 May 2021CitationTelefonica Snip3 December 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Snip3 has been delivered to victims through e-mail links to malicious files.CitationTelefonica Snip3 December 2021 |
| Enterprise | T1189 | Drive-by Compromise | Snip3 has been delivered to targets via downloads from malicious domains.CitationTelefonica Snip3 December 2021 |
| Enterprise | T1497.001 | System Checks Sub-technique | Snip3 has the ability to detect Windows Sandbox, VMWare, or VirtualBox by querying `Win32_ComputerSystem` to extract the `Manufacturer` string.CitationMorphisec Snip3 May 2021 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Snip3 can execute PowerShell scripts in a hidden window.CitationMorphisec Snip3 May 2021 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | Snip3 can obfuscate strings using junk Chinese characters.CitationMorphisec Snip3 May 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Snip3 can use a PowerShell script for second-stage execution.CitationMorphisec Snip3 May 2021CitationTelefonica Snip3 December 2021 |
Groups, software, and campaigns
G1018: TA2541
TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8844fd55311e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Morphisec Snip3 May 2021
Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
Open source URL -
[2]
Telefonica Snip3 December 2021
Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
Open source URL -
[3]
mitre-attack S1086Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.