C0016: Operation Dust Storm
Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.[1]
Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.[1]
Analyst context for executives and security teams
Operation Dust Storm matters because ATT&CK describes it as a long-running cyber espionage campaign that shifted by 2015 toward Japanese companies and Japan-linked parts of larger organizations supporting critical infrastructure sectors, including electricity generation, oil and natural gas, finance, transportation, and construction. For leaders, the decision value is not a single indicator list; it is whether the organization can detect targeted phishing, drive-by compromise, client-side exploitation, script-based execution, remote access tooling, obfuscation, dynamic command-and-control, and Android backdoor activity across business units and regions that support critical operations.
Executive priority
Treat this campaign as a validation case for resilience against persistent espionage tradecraft, especially where Japanese operations, subsidiaries, suppliers, or critical infrastructure support functions are in scope. Priority questions: do email, endpoint, DNS/proxy, mobile, and incident response programs preserve enough evidence to investigate targeted compromise; are user-facing applications and client software patched based on exposure; and can the SOC distinguish legitimate scripting/admin activity from suspicious execution chains such as malicious links/files, mshta abuse, obfuscated payloads, and RAT behavior? Because ATT&CK provides no official detection text for this campaign, coverage should be proven through control validation and local telemetry, not assumed from tool deployment.
Technical view
ATT&CK links Operation Dust Storm to multiple software families and tools including PoisonIvy, gh0st RAT, Misdat, Mis-Type, S-Type, and ZLib, plus techniques spanning initial access, execution, stealth, discovery, command-and-control, resource development, and mobile collection/discovery. SOC and IR teams should validate visibility around spearphishing attachments and links, drive-by compromise, exploitation for client execution, malicious files and links, JavaScript and Visual Basic execution, mshta.exe proxy execution, packed or encoded files, deobfuscation/decoding behavior, masquerading, software discovery, dynamic DNS/domain-based C2 patterns, and Android file/data discovery behaviors where mobile risk is relevant. The Windows emphasis is supported by several related software objects and mshta, while macOS/Linux and mobile relevance comes from related technique platforms and the official note that Android backdoors were used by 2015 against identified victims in Japan or South Korea.
Likely telemetry
- Email security logs for spearphishing attachments, spearphishing links, attachment detonation results, and user click/open events
- Endpoint process creation, command-line, script interpreter, mshta.exe, JavaScript/JScript, and Visual Basic execution telemetry
- Endpoint file telemetry for packed executables, encoded/encrypted files, suspicious file names/locations, masquerading, and malware quarantine events
- EDR or host logs showing client-application exploitation symptoms and post-exploitation process chains
- DNS, proxy, firewall, and network flow logs for dynamic resolution and command-and-control investigation
Detection direction
- Do not build coverage solely around campaign name or static indicators; ATT&CK’s relationships show reusable behaviors and common RAT/backdoor tradecraft that require behavior-based validation.
- Tune detections for suspicious mshta.exe execution, script execution from email/web-delivered content, and unusual parent-child process chains following link or attachment interaction.
- Validate email-to-endpoint correlation: a malicious link or file event should be traceable to browser/client execution, script activity, payload creation, and outbound network behavior.
- Review false positives for administrative scripting, legitimate HTA/VB/JavaScript use, software packaging, and encoded files; suppressions should be tied to known-good paths, signers, users, and change records rather than broad allow rules.
- For dynamic resolution, correlate DNS/proxy activity with newly observed domains, unusual domain patterns, endpoint process context, and post-compromise behaviors instead of relying only on domain reputation.
Mitigation priorities
- Prioritize exposure reduction for user-driven initial access: strengthen email filtering, attachment/link analysis, browser protections, and user reporting workflows for targeted phishing.
- Maintain vulnerability management for client applications commonly exposed through links, documents, and browsing, since ATT&CK links the campaign to exploitation for client execution and drive-by compromise.
- Restrict and monitor high-risk script and trusted utility execution, especially mshta.exe and script interpreters, using policy controls appropriate to business workflows.
- Improve endpoint hardening and detection for obfuscated, packed, encoded, or masqueraded files, with response playbooks for suspected RAT/backdoor activity.
- Ensure DNS, web proxy, and egress controls support investigation of dynamic command-and-control rather than only blocking known-bad infrastructure.
Analyst notes and limits
The strongest defensive value comes from the relationship context: Operation Dust Storm is connected to targeted initial access, user execution, client exploitation, obfuscation, masquerading, scripting, mshta abuse, dynamic resolution, and several RAT/backdoor families. The official description highlights a sector and geography shift toward Japanese organizations and Japan-linked critical infrastructure support, plus Android backdoor use by 2015. Those facts support prioritizing critical infrastructure business units, subsidiaries, regional operations, and mobile visibility, but local relevance still depends on the organization’s footprint and threat model.
ATT&CK provides no official detection text, no campaign-level platforms or tactics, and the supplied source detail is limited to the ATT&CK object, external reference, and relationships. This take does not assert current activity, attribution, compromise, or guaranteed detection. Any control conclusions require local evidence from email, endpoint, network, identity, mobile, asset, and incident response telemetry.
Operation Dust Storm
Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.[1]
Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204.002 | Malicious File Sub-technique | During Operation Dust Storm, the threat actors relied on potential victims to open a malicious Microsoft Word document sent via email.[1] |
| Enterprise | T1204.001 | Malicious Link Sub-technique | During Operation Dust Storm, the threat actors relied on a victim clicking on a malicious link sent via email.[1] |
| Enterprise | T1583.001 | Domains Sub-technique | For Operation Dust Storm, the threat actors established domains as part of their operational infrastructure.[1] |
| Enterprise | T1027.002 | Software Packing Sub-technique | For Operation Dust Storm, the threat actors used UPX to pack some payloads.[1] |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | During Operation Dust Storm, the threat actors sent spearphishing emails that contained a malicious Microsoft Word document.[1] |
| Enterprise | T1189 | Drive-by Compromise | During Operation Dust Storm, the threat actors used a watering hole attack on a popular software reseller to exploit the then-zero-day Internet Explorer vulnerability CVE-2014-0322.[1] |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | During Operation Dust Storm, the threat actors encoded some payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key; other payloads were Base64-encoded.[1] |
| Enterprise | T1036 | Masquerading | For Operation Dust Storm, the threat actors disguised some executables as JPG files.[1] |
| Enterprise | T1218.005 | Mshta Sub-technique | During Operation Dust Storm, the threat actors executed JavaScript code via `mshta.exe`.[1] |
| Enterprise | T1568 | Dynamic Resolution | For Operation Dust Storm, the threat actors used dynamic DNS domains from a variety of free providers, including No-IP, Oray, and 3322.[1] |
| Enterprise | T1059.005 | Visual Basic Sub-technique | During Operation Dust Storm, the threat actors used Visual Basic scripts.[1] |
| Enterprise | T1518 | Software Discovery | During Operation Dust Storm, the threat actors deployed a file called `DeployJava.js` to fingerprint installed software on a victim system prior to exploit delivery.[1] |
| Enterprise | T1203 | Exploitation for Client Execution | During Operation Dust Storm, the threat actors exploited Adobe Flash vulnerability CVE-2011-0611, Microsoft Windows Help vulnerability CVE-2010-1885, and several Internet Explorer vulnerabilities, including CVE-2011-1255, CVE-2012-1889, and CVE-2014-0322.[1] |
| Enterprise | T1059.007 | JavaScript Sub-technique | During Operation Dust Storm, the threat actors used JavaScript code.[1] |
| Enterprise | T1585.002 | Email Accounts Sub-technique | For Operation Dust Storm, the threat actors established email addresses to register domains for their operations.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | During Operation Dust Storm, attackers used VBS code to decode payloads.[1] |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | During Operation Dust Storm, the threat actors sent spearphishing emails containing a malicious link.[1] |
Groups, software, and campaigns
S0083: Misdat
Misdat is a backdoor that was used in Operation Dust Storm from 2010 to 2011.[1]
S0032: gh0st RAT
S0012: PoisonIvy
S0084: Mis-Type
Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.[1]
S0086: ZLib
ZLib is a full-featured backdoor that was used as a second-stage implant during Operation Dust Storm since at least 2014. ZLib is malware and should not be confused with the legitimate compression library from which its name is derived.[1]
S0085: S-Type
S-Type is a backdoor that was used in Operation Dust Storm since at least 2013.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 0477beeb6e7c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cylance Dust Storm
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
Open source URL -
[2]
mitre-attack C0016Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.