S1158: DUSTPAN
Analyst context for executives and security teams
DUSTPAN matters because it is described by ATT&CK as a Windows in-memory dropper that decrypts and executes an embedded payload. For leaders, the practical issue is not the malware name alone; it is whether the organization can see and investigate payload execution that may leave limited file-based evidence. Its relationship to APT41 and stealth-oriented techniques makes it a useful test case for whether endpoint, service, memory/process, and incident response visibility can handle obfuscated and in-memory execution paths.
Executive priority
Prioritize DUSTPAN as a coverage-validation scenario for Windows endpoint resilience and IR readiness. Because ATT&CK links it to embedded payloads, encrypted/encoded content, deobfuscation, PE injection, and Windows service persistence, executives should ask whether current controls depend too heavily on static file signatures, whether SOC teams retain enough endpoint telemetry to reconstruct execution, and whether service creation or modification is treated as high-value audit evidence during investigations.
Technical view
ATT&CK provides no dedicated detection guidance for DUSTPAN, so defenders should validate coverage through its related behaviors: T1027.009 Embedded Payloads, T1027.013 Encrypted/Encoded File, T1140 Deobfuscate/Decode Files or Information, T1055.002 Portable Executable Injection, T1543.003 Windows Service, and T1036.005 Match Legitimate Resource Name or Location. On Windows, SOC and IR teams should focus on suspicious process memory behavior, execution of decrypted or unpacked payloads, anomalous child processes, service creation/modification, and files or services placed or named to resemble legitimate resources. Treat the APT41 relationship as threat-intelligence context, not proof of local activity.
Likely telemetry
- Windows endpoint detection and response process, module, memory, and injection-related events
- Process creation and parent-child process lineage
- Windows service creation, modification, binary path, and recovery configuration changes
- Registry telemetry related to service configuration
- File creation and modification metadata for executables or artifacts with suspicious naming/location patterns
Detection direction
- Validate whether endpoint tooling can alert on or preserve evidence of PE injection and in-memory payload execution, not only files written to disk.
- Tune detections for new or modified Windows services, especially unusual service binary paths, suspicious naming, or services placed in locations that mimic legitimate resources.
- Correlate obfuscated or encrypted file indicators with subsequent deobfuscation, process execution, or service persistence activity.
- Review false positives from legitimate software updaters, installers, endpoint agents, and administrative tools that create services or use packed/encoded binaries.
- Use the related APT41 context to enrich triage, but avoid attribution based only on a DUSTPAN-like behavior match.
Mitigation priorities
- Ensure Windows endpoints have behavioral monitoring capable of observing process injection, service changes, and suspicious execution chains.
- Harden and monitor Windows service creation and modification permissions, especially for privileged accounts and administrative tooling.
- Reduce blind spots by retaining endpoint telemetry long enough to support IR reconstruction of in-memory or decrypted payload execution.
- Apply application control, least privilege, and controlled administrative paths where feasible to limit unauthorized service persistence and disguised executable placement.
- Test SOC playbooks against ATT&CK-related behaviors rather than relying on a malware-specific signature, since official DUSTPAN detection guidance is not provided.
Analyst notes and limits
The ATT&CK object identifies DUSTPAN as an in-memory C/C++ dropper used by APT41 since 2021 and states that it decrypts and executes an embedded payload. The strongest defensive value is to use it as a validation case for Windows in-memory execution, obfuscation, disguised resources, and service persistence coverage.
ATT&CK does not provide official detection text, tactics are not specified on the malware object, and the supplied fields do not include indicators of compromise, hashes, command lines, or confirmed local targeting. Local telemetry and environment-specific baselines are required to assess exposure or detection quality.
DUSTPAN
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | DUSTPAN is often disguised as a legitimate Windows binary such as `w3wp.exe` or `conn.exe`.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | DUSTPAN decrypts an embedded payload.CitationGoogle Cloud APT41 2024CitationGoogle Cloud APT41 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | DUSTPAN decodes and decrypts embedded payloads.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | DUSTPAN can inject its decrypted payload into another process.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | DUSTPAN decrypts and executes an embedded payload.CitationGoogle Cloud APT41 2024CitationGoogle Cloud APT41 2022 |
| Enterprise | T1543.003 | Windows Service Sub-technique | DUSTPAN can persist as a Windows Service in operations.CitationGoogle Cloud APT41 2024 |
Groups, software, and campaigns
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
C0040: APT41 DUST
APT41 DUST was conducted by APT41 from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. APT41 DUST targeted sectors such as shipping, logistics, and media for information gathering purposes. APT41 used previously-observed malware such as DUSTPAN as well as newly observed tools such as DUSTTRAP in APT41 DUST.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 51ab5c73c080… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Google Cloud APT41 2024
Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
Open source URL -
[2]
Google Cloud APT41 2022
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman & John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved September 16, 2024.
Open source URL -
[3]
mitre-attack S1158Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.