S1159: DUSTTRAP
Analyst context for executives and security teams
DUSTTRAP matters because ATT&CK describes it as a Windows, multi-stage plugin framework associated with APT41 operations. The relationship set shows capabilities spanning discovery, collection, credential capture via keylogging, process injection, obfuscation, tool transfer, exfiltration over C2, and cleanup. For leaders, the practical issue is not a single malware alert; it is whether endpoint, identity, network, and IR teams can recognize a modular post-compromise toolset before discovery and collection turn into data loss.
Executive priority
Prioritize DUSTTRAP as a validation case for post-compromise resilience on Windows endpoints. Security leaders should ask whether the organization can prove visibility into command shell execution, process injection, registry and account discovery, network share enumeration, screen/key capture indicators, inbound tool transfer, C2-channel exfiltration, and evidence removal. This is also useful for audit and incident readiness: if official detection guidance is absent, local control evidence and tested response playbooks become the deciding proof of coverage.
Technical view
ATT&CK provides no official detection text for DUSTTRAP, so SOC and detection teams should build coverage from the related techniques. Validate Windows telemetry for process creation and command-line activity, registry queries, local/domain account enumeration, process and window discovery, file and directory discovery, network/share discovery, suspicious process injection behavior, encoded or embedded payload artifacts, deobfuscation activity, keylogging/screen capture indicators, tool ingress, outbound C2-like traffic, exfiltration over the same channel, and removal of share connections or other indicators. Treat the APT41 relationship as threat-intelligence context, not proof of attribution in any local incident.
Likely telemetry
- Windows endpoint process creation, parent-child process, command-line, and script or cmd.exe execution logs
- EDR memory and behavioral events for process injection and suspicious code execution in another process
- Windows Registry access/query telemetry
- File creation, modification, directory enumeration, and encoded or embedded payload artifacts
- Local and domain account enumeration events, including use of native administration utilities where logged
Detection direction
- Map detections to the related ATT&CK techniques rather than relying on a DUSTTRAP-specific signature, because official detection guidance is not provided.
- Correlate multiple weak signals: discovery commands, registry queries, account/share enumeration, process discovery, and outbound communications are more meaningful together than in isolation.
- Tune carefully for administrative false positives, especially native Windows command shell, registry, account, process, and network discovery activity.
- Validate that obfuscation-related behaviors are visible, including embedded payloads, encrypted/encoded files, and deobfuscation/decoding activity.
- Review blind spots around memory telemetry, keylogging/screen capture visibility, SMB/share activity, and exfiltration over an existing C2 channel.
Mitigation priorities
- Start with visibility assurance on Windows endpoints: endpoint telemetry, command-line logging, network metadata, and retention sufficient for IR reconstruction.
- Harden and monitor identity exposure by reviewing local and domain account enumeration visibility and limiting unnecessary privileges.
- Reduce collection paths by reviewing access to sensitive local files and network shares, and by monitoring unusual share discovery or connection removal.
- Control tool ingress and outbound communications through egress monitoring, proxy/firewall policy, and alerting on unusual external transfers.
- Prepare IR playbooks for modular malware behavior: isolate affected hosts, preserve volatile and endpoint evidence, review credential exposure, and scope discovery, collection, and exfiltration activity.
Analyst notes and limits
The strongest decision value comes from the relationship context: DUSTTRAP is a Windows malware object described as a multi-stage plugin framework, and its mapped techniques cover a broad post-compromise lifecycle. The official ATT&CK object does not list tactics directly and provides no detection section, so defensive planning should be technique-led and environment-specific.
This take is limited to the supplied ATT&CK STIX fields, external references, and relationships. It does not assert current exploitation, customer exposure, specific indicators, vendor detections, or confirmed attribution in any environment. Several related technique platform lists are broader than the DUSTTRAP object; the malware platform supplied here is Windows.
DUSTTRAP
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1087.002 | Domain Account Sub-technique | DUSTTRAP can enumerate domain accounts.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1012 | Query Registry | DUSTTRAP can enumerate Registry items.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1615 | Group Policy Discovery | DUSTTRAP can identify victim environment Group Policy information.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1055 | Process Injection | DUSTTRAP compromises the `.text` section of a legitimate system DLL in `%windir%` to hold the contents of retrieved plug-ins.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1056.001 | Keylogging Sub-technique | DUSTTRAP can perform keylogging operations.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1070 | Indicator Removal | DUSTTRAP restores the `.text` section of compromised DLLs after malicious code is loaded into memory and before the file is closed.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | DUSTTRAP begins with an initial launcher that decrypts an AES-128-CFB encrypted file on disk and executes it in memory.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1057 | Process Discovery | DUSTTRAP can enumerate running processes.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1087.001 | Local Account Sub-technique | DUSTTRAP can enumerate local user accounts.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1113 | Screen Capture | DUSTTRAP can capture screenshots.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | DUSTTRAP can identify security software.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | DUSTTRAP deobfuscates embedded payloads.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | DUSTTRAP can retrieve and load additional payloads.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1083 | File and Directory Discovery | DUSTTRAP can enumerate files and directories.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1005 | Data from Local System | DUSTTRAP can gather data from infected systems.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1016 | System Network Configuration Discovery | DUSTTRAP can enumerate infected system network information.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | DUSTTRAP can execute commands via `cmd.exe`.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1010 | Application Window Discovery | DUSTTRAP can enumerate running application windows.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1070.005 | Network Share Connection Removal Sub-technique | DUSTTRAP can remove network shares from infected systems.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | DUSTTRAP can exfiltrate collected data over C2 channels.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1124 | System Time Discovery | DUSTTRAP reads the infected system's current time and writes it to a log file during execution.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1482 | Domain Trust Discovery | DUSTTRAP can identify Active Directory information and related items.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | DUSTTRAP can delete infected system log information.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1082 | System Information Discovery | DUSTTRAP reads the value of the infected system's `HKLM\SYSTEM\Microsoft\Cryptography\MachineGUID` value.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | DUSTTRAP contains additional embedded DLLs and configuration files that are loaded into memory during execution.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1018 | Remote System Discovery | DUSTTRAP can use `ping` to identify remote hosts within the victim network.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1654 | Log Enumeration | DUSTTRAP can identify infected system log information.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1497.001 | System Checks Sub-technique | DUSTTRAP decryption relies on the infected machine's `HKLM\SOFTWARE\Microsoft\Cryptography\MachineGUID` value.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1135 | Network Share Discovery | DUSTTRAP can identify and enumerate victim system network shares.CitationGoogle Cloud APT41 2024 |
Groups, software, and campaigns
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
C0040: APT41 DUST
APT41 DUST was conducted by APT41 from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. APT41 DUST targeted sectors such as shipping, logistics, and media for information gathering purposes. APT41 used previously-observed malware such as DUSTPAN as well as newly observed tools such as DUSTTRAP in APT41 DUST.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1da59d24ce4b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Google Cloud APT41 2024
Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
Open source URL -
[2]
mitre-attack S1159Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.