S1169: Mango
Analyst context for executives and security teams
Mango matters because ATT&CK describes it as a Windows first-stage C#/.NET backdoor used in the OilRig Juicy Mix campaign, with capabilities that support discovery, persistence, command-and-control, evasion, and exfiltration. For leaders, the practical question is not just “can we block this malware,” but whether the organization can see a Windows endpoint move from user-driven file execution to scheduled-task persistence, host discovery, encrypted or encoded web-based C2, and data leaving over that same channel.
Executive priority
Prioritize Mango as a readiness test for endpoint visibility, egress monitoring, and incident response decision-making. The ATT&CK record links it to sectors and supply-chain-aware targeting associated with OilRig, so security leaders should validate evidence quality around Windows persistence, C2 over web protocols, and exfiltration over C2. This is also useful for audit and compliance evidence: teams should be able to show that logs exist, alerts are triaged, and containment playbooks cover malicious files, scheduled tasks, encoded traffic, and security-tool impairment behaviors.
Technical view
Mango is listed for Windows and is described as a first-stage C#/.NET backdoor. ATT&CK relationships map it to malicious file execution, scheduled tasks, discovery of user/system/file information, native API use, encoded/encrypted C2 over web protocols, exfiltration over the C2 channel, encrypted/encoded files, and disabling or modifying tools. SOC and IR teams should validate correlation across initial file execution, .NET process behavior, Windows Task Scheduler artifacts, discovery activity, suspicious web egress, encoded or encrypted payload patterns, and any degradation of defensive tools. Because MITRE provides no official detection text for this object, local behavioral baselining and technique-level detections are required.
Likely telemetry
- Windows endpoint process creation and parent-child process context, especially user-opened files and .NET execution
- Windows Task Scheduler creation, modification, and execution events
- File system telemetry for enumeration, unusual access patterns, and encoded or encrypted artifacts
- User and system discovery evidence from process, command-line, API, or EDR telemetry
- Network proxy, DNS, firewall, and endpoint network telemetry for outbound web protocol communications
Detection direction
- Build detections around behavior chains rather than a single indicator: malicious file execution followed by discovery, scheduled-task persistence, and outbound web traffic is more meaningful than any one event alone.
- Validate Windows scheduled-task monitoring, including task creation and changes made by unusual users, processes, or paths.
- Tune web egress analytics for encoded or encrypted content patterns, rare destinations, and data transfer over command channels while accounting for legitimate encrypted business traffic.
- Correlate user and system discovery activity with new or suspicious processes, particularly where followed by outbound network communication.
- Review blind spots around .NET execution, native API visibility, endpoint sensor tampering, and environments where proxy or DNS logs are incomplete.
Mitigation priorities
- Reduce likelihood of user-driven execution through attachment/file handling controls, user awareness, and application control where appropriate.
- Harden and monitor Windows scheduled-task creation and modification, with least privilege for users and administrators.
- Ensure endpoint protection and logging agents are protected from unauthorized modification and that sensor health is monitored.
- Restrict and monitor outbound web traffic using proxy, DNS, and firewall controls; investigate unusual encoded or encrypted communications where context is weak.
- Prepare IR playbooks for suspected first-stage backdoor activity, including host isolation, credential-risk review, persistence removal, and egress review.
Analyst notes and limits
This take is based only on the supplied ATT&CK S1169 fields, the ESET external reference, and listed relationships. The strongest defensive value is in using Mango as a scenario for validating Windows endpoint, scheduled-task, C2, exfiltration, and defense-impairment visibility. OilRig and Juicy Mix are referenced because they are present in the official description and relationship context, not as a statement about current activity against any organization.
MITRE provides no official detection text for Mango in the supplied object. The object platform is Windows, while several related techniques have broader platform listings; recommendations are therefore centered on Windows and technique-level validation. No claims are made about active exploitation, customer exposure, available indicators, or guaranteed detection coverage.
Mango
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Mango can receive XOR-encrypted commands from C2.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1082 | System Information Discovery | Mango can collect the machine name of a compromised system which is later used as part of a unique victim identifier.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Mango can use TLS to encrypt C2 communications.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Mango contains a series of base64 encoded substrings.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1083 | File and Directory Discovery | Mango can enumerate the contents of current working or other specified directories.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1685 | Disable or Modify Tools | Mango contains an unused capability to block endpoint security solutions from loading user-mode code hooks via a DLL in a specified process by using the `UpdateProcThreadAttribute API` to set the `PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY` to `PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON` for an identified process. CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Mango has been executed through a Microsoft Word document with a malicious macro.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Mango can use its HTTP C2 channel for exfiltration.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Mango can retrieve C2 commands sent in HTTP responses.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1033 | System Owner/User Discovery | Mango can collect the user name from a compromised system which is used to create a unique victim identifier.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Mango can receive Base64-encoded commands from C2.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1106 | Native API | Mango has the ability to use Native APIs.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Mango can create a scheduled task to run every 32 seconds to communicate with C2 and execute received commands.CitationESET OilRig Campaigns Sep 2023 |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
C0044: Juicy Mix
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0b927fdd84af… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET OilRig Campaigns Sep 2023
Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
Open source URL -
[2]
mitre-attack S1169Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.