Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S9021: DOWNIISSA

DOWNIISSA is a shellcode downloader that has been used by MirrorFace since at least 2022 to deploy payloads, including the LODEINFO backdoor.[1]

EnterpriseS9021MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DOWNIISSA is a Windows shellcode downloader described by ATT&CK as used by MirrorFace since at least 2022 to deploy payloads including LODEINFO. Its business significance is that it represents an early-stage delivery component: if it succeeds, defenders may be dealing with follow-on payload deployment rather than a single isolated file. Because ATT&CK provides no official detection text, organizations should treat this as a coverage-validation item tied to downloader behavior, stealth, msiexec abuse, file cleanup, and process injection rather than relying on a named-malware signature alone.

Executive priority

Prioritize this where Windows endpoints are material to operations or compliance evidence. Leaders should ask whether SOC and IR teams can prove visibility into suspicious downloads, Windows Installer abuse, injected execution, encoded artifacts, and file deletion on critical endpoints. The decision value is not just blocking DOWNIISSA by name, but confirming that controls would expose a downloader that brings in additional payloads and attempts to hide its activity.

Technical view

For SOC and detection teams, map validation to the ATT&CK relationships: T1105 Ingress Tool Transfer, T1218.007 Msiexec, T1055 Process Injection, T1106 Native API, T1027.013 Encrypted/Encoded File, T1140 Deobfuscate/Decode Files or Information, and T1070.004 File Deletion. On Windows, test whether telemetry can connect a suspicious parent process or msiexec execution to network retrieval, decoded or newly written content, memory/injection-like behavior, and subsequent cleanup. Since no official detection is provided, detections should be behavior-based and tuned against legitimate installer, software deployment, and administrative activity.

Likely telemetry

  • Windows process creation with command line, parent/child process, and signer/path context, especially for msiexec.exe
  • Endpoint file creation, modification, decoding/deobfuscation indicators, and file deletion events
  • Network connection and download telemetry from Windows endpoints, including destination, process attribution, and timing
  • EDR or OS telemetry for process injection or suspicious memory access patterns
  • Native API-related endpoint telemetry where available, especially memory, process, and file operations

Detection direction

  • Do not depend only on malware naming; validate behavior chains consistent with downloader activity and related techniques.
  • Tune msiexec monitoring to distinguish normal software deployment from unusual parent processes, remote or unexpected package sources, anomalous execution paths, or DLL execution patterns.
  • Correlate ingress file transfer with encoded/encrypted artifacts, decode/deobfuscation activity, and execution shortly afterward.
  • Look for file deletion following download or execution, especially when it removes recently created artifacts.
  • Review process injection detections for false positives from legitimate security, management, and application software; prioritize uncommon source processes and sensitive target processes.

Mitigation priorities

  • Confirm endpoint protection and EDR coverage on Windows systems where this risk is relevant.
  • Harden and monitor Windows Installer/msiexec usage; restrict unnecessary installer execution paths through approved software control processes where feasible.
  • Improve egress and download controls so unexpected external file transfer from endpoints is logged and reviewable.
  • Maintain centralized logging for process, network, and file events so deletion of local artifacts does not erase the investigation trail.
  • Use application control, least privilege, and software deployment governance to reduce opportunities for unauthorized payload staging and execution.
Analyst notes and limits

ATT&CK identifies DOWNIISSA as a shellcode downloader associated with MirrorFace activity and payload deployment including LODEINFO, with Kaspersky reporting as the cited source. The most useful defensive angle is relationship-driven coverage validation across downloader transfer, stealth, execution proxying, injection, decoding, and cleanup behaviors.

The supplied ATT&CK object has no official detection guidance, no tactics listed on the malware object itself, no aliases, and only Windows as the malware platform. Telemetry and control recommendations are inferred from the supplied technique relationships and must be validated against the local environment, approved software deployment patterns, and available endpoint/network logging.

Official MITRE ATT&CK definition

DOWNIISSA

DOWNIISSA is a shellcode downloader that has been used by MirrorFace since at least 2022 to deploy payloads, including the LODEINFO backdoor.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

7 rows
Domain ID Name Relationship / procedure
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

DOWNIISSA code is base64 encoded and XOR encrypted.CitationKaspersky LODEINFO OCT 2022
Enterprise T1105 Ingress Tool Transfer

DOWNIISSA can download files to the compromised host.CitationKaspersky LODEINFO OCT 2022
Enterprise T1070.004 File Deletion Sub-technique

DOWNIISSA can delete files after download.CitationKaspersky LODEINFO OCT 2022
Enterprise T1140 Deobfuscate/Decode Files or Information

DOWNIISSA can decode strings prior to execution.CitationKaspersky LODEINFO OCT 2022
Enterprise T1218.007 Msiexec Sub-technique

DOWNIISSA can create an instance of msiexec.exe and inject LODEINFO shellcode into the memory of the process.CitationKaspersky LODEINFO OCT 2022
Enterprise T1055 Process Injection

DOWNIISSA can inject shellcode directly into process memory including WINWORD.exe and msiexec.exe.CitationKaspersky LODEINFO OCT 2022
Enterprise T1106 Native API

DOWNIISSA can use the `URLDownloadToFileA()` API to download from remote resources.CitationKaspersky LODEINFO OCT 2022
Associated objects

Groups, software, and campaigns

Group Enterprise

G1054: MirrorFace

MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]

Relationship explorer

All related ATT&CK context

uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1218.007: Msiexec Enterprise uses · Group G1054: MirrorFace Enterprise uses · Technique T1055: Process Injection Enterprise uses · Technique T1106: Native API Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
192e9b3f1e0df797...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 192e9b3f1e0d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kaspersky LODEINFO OCT 2022

    Ishimaru, S. (2022, October 31). APT10: Tracking down LODEINFO 2022, part I. Retrieved April 17, 2026.

    Open source URL
  2. [2]
    mitre-attack S9021
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use