S0083: Misdat

Misdat matters because ATT&CK records it as a Windows backdoor historically used in Operation Dust Storm, a long-running cyber espionage campaign. The value for leaders is not the malware name itself, but the defensive pattern it represents: endpoint persistence, host discovery, local data collection, command-and-control, tool transfer, cleanup, and exfiltration over the same C2 channel.

Executive priority

Prioritize Misdat as a validation case for espionage-oriented intrusion readiness on Windows endpoints. Security leaders should ask whether the organization can prove visibility across persistence, command shell execution, suspicious C2, file staging/deletion, timestamp manipulation, and data exfiltration behaviors. This is especially relevant for incident response evidence preservation and audit conversations about endpoint monitoring and data protection controls.

Technical view

ATT&CK provides no official detection text for Misdat, so SOC and detection teams should use the mapped behaviors as the validation scope. On Windows, test whether controls observe Boot or Logon Autostart Execution, Windows Command Shell activity, Native API-linked execution patterns, System Information Discovery, File and Directory Discovery, System Language Discovery, Data from Local System, Ingress Tool Transfer, Non-Application Layer Protocol C2, Standard Encoding, Exfiltration Over C2 Channel, Software Packing, masquerading via legitimate-looking names or locations, File Deletion, Timestomp, and Clear Persistence. Correlating these behaviors is more useful than relying on a single malware signature.

Likely telemetry

Windows endpoint process creation and command-line telemetry
Autostart and persistence location monitoring, including startup-related registry or service changes where collected
File creation, deletion, rename, path, and metadata/timestamp telemetry
Endpoint security alerts for packed or obfuscated executables
Network flow and protocol metadata for unusual C2 patterns, including non-application-layer or encoded communications where visible

Detection direction

Build detections around behavior chains: discovery followed by local file access, tool transfer, outbound C2, and cleanup is higher fidelity than any one event alone.
Tune Windows command shell monitoring for unusual parent-child process relationships, suspicious execution paths, and discovery commands, while accounting for administrator and software management activity.
Validate coverage for masquerading and trusted-directory abuse by comparing executable names, paths, signatures, and expected baselines.
Confirm whether file deletion and timestomping are retained in telemetry long enough for incident reconstruction; these behaviors can erase or distort evidence.
Review network detection assumptions: exfiltration over an existing C2 channel and standard encoding may not be obvious from payload inspection alone, especially where encryption or limited packet capture exists.

Mitigation priorities

Harden and monitor Windows autostart locations and restrict unnecessary write access to trusted directories.
Apply least privilege and application control where feasible to reduce unauthorized command shell, tool transfer, and unknown executable execution.
Strengthen endpoint logging retention and centralization so deletion, timestomping, and persistence cleanup do not eliminate investigative evidence.
Limit and monitor outbound network paths, especially unusual protocols or destinations not required for business operations.
Protect sensitive local data through access controls, data minimization, and monitoring of unusual file enumeration or access patterns.

Analyst notes and limits

The ATT&CK object identifies Misdat as a backdoor used in Operation Dust Storm from 2010 to 2011 and links it to multiple ATT&CK techniques. The strongest defensive use is as a coverage checklist for Windows backdoor tradecraft rather than as a standalone indicator-driven detection item.

MITRE provides no official detection guidance in the supplied object, and the malware description is brief. Technique relationships describe possible observed behaviors, not guaranteed activity in every incident. Local environment baselines, telemetry depth, and retention determine whether these behaviors can be detected or investigated.

Official MITRE ATT&CK definition

Misdat

Misdat is a backdoor that was used in Operation Dust Storm from 2010 to 2011.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 16 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1036.005	Match Legitimate Resource Name or Location Sub-technique	Misdat saves itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[1]CitationMicrosoft DTC
Enterprise	T1083	File and Directory Discovery	Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.[1]
Enterprise	T1041	Exfiltration Over C2 Channel	Misdat has uploaded files and data to its C2 servers.[1]
Enterprise	T1095	Non-Application Layer Protocol	Misdat network traffic communicates over a raw socket.[1]
Enterprise	T1005	Data from Local System	Misdat has collected files and data from a compromised host.[1]
Enterprise	T1070.004	File Deletion Sub-technique	Misdat is capable of deleting the backdoor file.[1]
Enterprise	T1070.009	Clear Persistence Sub-technique	Misdat is capable of deleting Registry keys used for persistence.[1]
Enterprise	T1082	System Information Discovery	The initial beacon packet for Misdat contains the operating system version of the victim.[1]
Enterprise	T1547	Boot or Logon Autostart Execution	Misdat has created registry keys for persistence, including `HKCU\Software\dnimtsoleht\StubPath`, `HKCU\Software\snimtsOleht\StubPath`, `HKCU\Software\Backtsaleht\StubPath`, `HKLM\SOFTWARE\Microsoft\Active Setup\Installed. Components\{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7}`, and `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}`.[1]
Enterprise	T1132.001	Standard Encoding Sub-technique	Misdat network traffic is Base64-encoded plaintext.[1]
Enterprise	T1105	Ingress Tool Transfer	Misdat is capable of downloading files from the C2.[1]
Enterprise	T1059.003	Windows Command Shell Sub-technique	Misdat is capable of providing shell functionality to the attacker to execute commands.[1]
Enterprise	T1614.001	System Language Discovery Sub-technique	Misdat has attempted to detect if a compromised host had a Japanese keyboard via the Windows API call `GetKeyboardType`.[1]
Enterprise	T1027.002	Software Packing Sub-technique	Misdat was typically packed using UPX.[1]
Enterprise	T1070.006	Timestomp Sub-technique	Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file.[1]
Enterprise	T1106	Native API	Misdat has used Windows APIs, including `ExitWindowsEx` and `GetKeyboardType`.[1]

Associated objects

Groups, software, and campaigns

C0016: Operation Dust Storm

Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.[1]

Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.[1]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: May 31, 2017, 21:32 UTC (UTC+00:00)
Modified: Apr 16, 2025, 20:37 UTC (UTC+00:00)
Raw hash: 0bea1555997d2db1...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.2	Apr 16, 2025, 20:37 UTC (UTC+00:00)	Current bundle	`0bea1555997d…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Cylance Dust Storm

Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
Open source URL
[2]
mitre-attack S0083
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams