Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0044: JHUHUGIT

JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware. [1] [2] [3] [4]

EnterpriseS0044MalwareObject v2.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

JHUHUGIT matters because ATT&CK describes it as Windows reconnaissance malware used by APT28 and based on Carberp source code. For leaders, the practical issue is not the malware name itself but the behaviors tied to it: discovery, persistence, command-and-control, collection, stealth, and privilege-escalation techniques that can turn an initial Windows compromise into durable access and operational intelligence gathering.

Executive priority

Prioritize this as a coverage-validation case for Windows endpoint visibility, egress monitoring, and persistence control evidence. Because ATT&CK provides no official detection guidance for JHUHUGIT, executives should ask whether SOC, IR, and audit teams can prove coverage for the related behaviors: scheduled tasks, services, Run keys, logon scripts, COM hijacking, rundll32 abuse, process injection, web-based C2, fallback channels, encoded traffic, tool transfer, screen capture, clipboard collection, and host/network discovery. The business decision value is determining whether existing controls can detect reconnaissance and persistence before follow-on activity creates larger continuity, confidentiality, or incident-response costs.

Technical view

Treat JHUHUGIT as a Windows malware behavior cluster rather than a single signature problem. ATT&CK relationships associate it with discovery techniques such as System Network Configuration Discovery, Process Discovery, and Local Storage Discovery; persistence and privilege-escalation paths such as Windows logon scripts, scheduled tasks, Windows services, COM hijacking, Run keys/startup folders, process injection, and exploitation for privilege escalation; command-and-control via web protocols, fallback channels, ingress tool transfer, and standard encoding; collection through screen capture and clipboard data; and stealth through encrypted or encoded files, file deletion, rundll32 proxy execution, and process injection. SOC teams should validate that endpoint, registry, process, task/service, and network telemetry can connect these events into an intrusion narrative, not just alert on isolated commands.

Likely telemetry

  • Windows process creation and command-line telemetry, including cmd.exe and rundll32.exe activity
  • Windows registry change telemetry for Run keys, logon script locations, service configuration, and COM-related keys
  • Scheduled task creation, modification, and execution events
  • Windows service creation or modification events
  • Endpoint detection telemetry for process injection indicators and suspicious parent-child process relationships

Detection direction

  • Because ATT&CK provides no official detection text for JHUHUGIT, validate behavior-based detections mapped to the related techniques rather than relying on malware naming alone.
  • Tune Windows persistence analytics for scheduled tasks, services, Run keys/startup folders, logon scripts, and COM hijacking, with baselines for legitimate administration and software deployment to reduce false positives.
  • Correlate discovery activity with subsequent persistence, C2, or collection events; standalone ipconfig-like or process-listing behavior is common, but clustering with suspicious execution or outbound traffic increases decision value.
  • Review rundll32.exe and cmd.exe detections for context: unusual DLL paths, unexpected command-line patterns, nonstandard parent processes, and execution tied to newly created persistence entries.
  • Monitor web-protocol outbound traffic and encoded content indicators, but avoid assuming all encoded web traffic is malicious; use destination reputation, process lineage, timing, and related host events for triage.

Mitigation priorities

  • Start with Windows endpoint hardening and visibility: ensure reliable logging for process execution, registry changes, scheduled tasks, services, file activity, and network connections.
  • Reduce persistence opportunities through least privilege, controlled administrative rights, and change monitoring on startup locations, services, scheduled tasks, logon scripts, and COM configuration.
  • Limit unnecessary outbound web access from endpoints and ensure proxy/DNS/web logs can support investigation of C2 over common protocols and fallback channels.
  • Maintain vulnerability management discipline for Windows systems and key applications to reduce privilege-escalation opportunities referenced by the related techniques.
  • Use application control or execution control where appropriate to constrain untrusted scripts, DLL execution paths, and suspicious proxy execution patterns such as rundll32 abuse.
Analyst notes and limits

The strongest supported facts are that JHUHUGIT is Windows malware, described by ATT&CK as reconnaissance malware based on Carberp source code, and used by APT28. The practical Glexia view is driven by the ATT&CK relationships to techniques across discovery, persistence, privilege escalation, command-and-control, collection, and stealth. This should be used as a defensive validation profile for Windows environments rather than as a claim of current activity in any specific organization.

ATT&CK supplies no official detection guidance, no aliases in the object fields, and no object-level tactics. The relationship set provides technique context, but local applicability depends on actual Windows estate design, logging coverage, endpoint controls, egress architecture, and retained forensic evidence. This take does not assert active exploitation, customer exposure, or guaranteed detection.

Official MITRE ATT&CK definition

JHUHUGIT

JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware. [1] [2] [3] [4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

20 rows
Domain ID Name Relationship / procedure
Enterprise T1113 Screen Capture

A JHUHUGIT variant takes screenshots by simulating the user pressing the "Take Screenshot" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image.CitationUnit 42 Playbook Dec 2017[5]
Enterprise T1008 Fallback Channels

JHUHUGIT tests if it can reach its C2 server by first attempting a direct connection, and if it fails, obtaining proxy settings and sending the connection through a proxy, and finally injecting code into a running browser if the proxy method fails.[3]
Enterprise T1057 Process Discovery

JHUHUGIT obtains a list of running processes on the victim.[3][6]
Enterprise T1016 System Network Configuration Discovery

A JHUHUGIT variant gathers network interface card information.CitationUnit 42 Playbook Dec 2017
Enterprise T1053.005 Scheduled Task Sub-technique

JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.[3]CitationESET Sednit July 2015
Enterprise T1132.001 Standard Encoding Sub-technique

A JHUHUGIT variant encodes C2 POST data base64.CitationUnit 42 Playbook Dec 2017
Enterprise T1071.001 Web Protocols Sub-technique

JHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS.[3][6]CitationUnit 42 Playbook Dec 2017
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.[3]
Enterprise T1037.001 Logon Script (Windows) Sub-technique

JHUHUGIT has registered a Windows shell script under the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.[3][5]
Enterprise T1115 Clipboard Data

A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.CitationUnit 42 Playbook Dec 2017
Enterprise T1059.003 Windows Command Shell Sub-technique

JHUHUGIT uses a .bat file to execute a .dll.[5]
Enterprise T1068 Exploitation for Privilege Escalation

JHUHUGIT has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges.[3]CitationESET Sednit July 2015
Enterprise T1546.015 Component Object Model Hijacking Sub-technique

JHUHUGIT has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A}).[3][5]
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

Many strings in JHUHUGIT are obfuscated with a XOR algorithm.[2][3][5]
Enterprise T1543.003 Windows Service Sub-technique

JHUHUGIT has registered itself as a service to establish persistence.[3]
Enterprise T1055 Process Injection

JHUHUGIT performs code injection injecting its own functions to browser processes.[2][6]
Enterprise T1218.011 Rundll32 Sub-technique

JHUHUGIT is executed using rundll32.exe.[2][5]
Enterprise T1680 Local Storage Discovery

JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum. Another JHUHUGIT variant gathers the victim storage volume serial number and the storage device name.[3][6]
Enterprise T1070.004 File Deletion Sub-technique

The JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files.[3][6]
Enterprise T1105 Ingress Tool Transfer

JHUHUGIT can retrieve an additional payload from its C2 server.[3][6] JHUHUGIT has a command to download files to the victim’s machine.[5]
Associated objects

Groups, software, and campaigns

Group Enterprise

G0007: APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Relationship explorer

All related ATT&CK context

uses · Technique T1113: Screen Capture Enterprise uses · Technique T1008: Fallback Channels Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1132.001: Standard Encoding Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1037.001: Logon Script (Windows) Enterprise uses · Group G0007: APT28 Enterprise uses · Technique T1115: Clipboard Data Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1068: Exploitation for Privilege Escalation Enterprise uses · Technique T1546.015: Component Object Model Hijacking Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1055: Process Injection Enterprise uses · Technique T1218.011: Rundll32 Enterprise uses · Technique T1680: Local Storage Discovery Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.2
Created
Modified
Raw hash
e921a788f9c0b4f4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.2 Current bundle e921a788f9c0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kaspersky Sofacy

    Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.

    Open source URL
  2. [2]
    F-Secure Sofacy 2015

    F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.

    Open source URL
  3. [3]
    ESET Sednit Part 1

    ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.

    Open source URL
  4. [4]
    FireEye APT28 January 2017

    FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024.

    Open source URL
  5. [5]
    Talos Seduploader Oct 2017

    Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.

    Open source URL
  6. [6]
    Unit 42 Sofacy Feb 2018

    Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.

    Open source URL
  7. [7]
    GAMEFISH

    (Citation: FireEye APT28 January 2017)

  8. [8]
    JHUHUGIT

    (Citation: FireEye APT28 January 2017)

  9. [9]
    JKEYSKW

    (Citation: FireEye APT28 January 2017)

  10. [10]
    Sednit

    This designation has been used in reporting both to refer to the threat group ([APT28](https://attack.mitre.org/groups/G0007)) and its associated malware.(Citation: FireEye APT28 January 2017)

  11. [11]
    Seduploader

    (Citation: FireEye APT28 January 2017)(Citation: Talos Seduploader Oct 2017)

  12. [12]
    SofacyCarberp

    (Citation: Unit 42 Sofacy Feb 2018)

  13. [13]
    Symantec APT28 Oct 2018

    Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.

    Open source URL
  14. [14]
    Trojan.Sofacy

    This designation has been used in reporting both to refer to the threat group ([Skeleton Key](https://attack.mitre.org/software/S0007)) and its associated malware.(Citation: Symantec APT28 Oct 2018)

  15. [15]
    mitre-attack S0044
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use