S0084: Mis-Type
Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.[1]
Analyst context for executives and security teams
Mis-Type matters because ATT&CK describes it as a Windows backdoor hybrid associated with Operation Dust Storm and linked to behaviors that support persistence, discovery, command-and-control, data staging, and exfiltration. For leaders, the value is not the malware name alone; it is a test case for whether the organization can see a compromised Windows host being surveyed, maintained, used for command execution, and leveraged to move data out over C2 channels.
Executive priority
Treat this as a readiness and control-validation issue rather than a signature-only problem. Executives should ask whether SOC and IR teams can prove visibility across Windows endpoint activity, local account and autostart changes, suspicious command shell use, process injection indicators, and outbound C2-like traffic. The relationship to a long-running espionage campaign makes it relevant to resilience, sensitive-data protection, and audit evidence for monitoring and response capability, but the supplied ATT&CK data does not support claims of current activity or customer exposure.
Technical view
ATT&CK provides no official detection text for Mis-Type, so defenders should validate coverage through its related techniques. In the Windows context supplied for the malware, focus on correlations across Windows Command Shell execution, Native API and Process Injection behaviors, system/user/account/network discovery, local data staging, tool transfer, fallback C2, web-protocol C2, non-application-layer communications, standard encoding, exfiltration over C2, local account creation, and boot/logon autostart persistence. Detection should emphasize behavior chains rather than a single indicator because several mapped techniques can overlap with legitimate administration.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and administrative utilities used for discovery
- EDR or host telemetry for process injection, native API abuse, suspicious parent-child process relationships, and memory-related activity
- File system telemetry for local data staging, unusual file placement, and names or locations that mimic legitimate resources
- Local account and group management logs, including account creation or privilege-related changes
- Registry, service, startup folder, scheduled autostart, and other boot/logon persistence telemetry on Windows
Detection direction
- Build detections around sequences: discovery commands followed by staging, outbound C2, tool transfer, persistence, or exfiltration-like activity.
- Tune Windows command-shell detections to separate routine administration from unusual execution context, user, host, timing, or destination patterns.
- Validate that monitoring covers both application-layer web traffic and less common protocol paths, since related techniques include Web Protocols, Fallback Channels, and Non-Application Layer Protocol.
- Look for local account creation and boot/logon autostart changes in combination with other suspicious host behaviors, not only as isolated events.
- Review blind spots where endpoint controls cannot inspect process injection, encoded C2 content, or encrypted web traffic metadata sufficiently.
Mitigation priorities
- Prioritize reliable Windows endpoint logging and EDR visibility before relying on malware-family-specific indicators.
- Restrict unnecessary local administrator rights and monitor local account creation to reduce persistence opportunities.
- Harden and monitor boot/logon autostart locations and require change-control evidence for legitimate persistence mechanisms.
- Apply application control and execution policy where feasible to reduce unauthorized tool transfer and command execution.
- Enforce egress control and network monitoring so fallback channels, unusual protocols, and unexpected outbound web communications are reviewable.
Analyst notes and limits
The strongest decision value comes from the relationships: Mis-Type is sparse as a standalone ATT&CK malware object, but it maps to a broad behavior set spanning execution, persistence, privilege escalation, defense evasion/stealth, discovery, collection, command-and-control, and exfiltration. Detection engineering should therefore use technique coverage validation and local baselining rather than depend on a supplied ATT&CK detection recommendation.
Official ATT&CK detection guidance is not provided. The malware object lists Windows as the platform and has no explicit malware-level tactics, so platform and tactic interpretation should remain tied to the supplied relationships and local evidence. The supplied fields support historical use in Operation Dust Storm by 2012, not current exploitation, attribution in a given incident, or guaranteed detection coverage.
Mis-Type
Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1106 | Native API | |
| Enterprise | T1547 | Boot or Logon Autostart Execution | Mis-Type has created registry keys for persistence, including `HKCU\Software\bkfouerioyou`, `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6afa8072-b2b1-31a8-b5c1-{Unique Identifier}`, and `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3BF41072-B2B1-31A8-B5C1-{Unique Identifier}`.[1] |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1136.001 | Local Account Sub-technique | |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1033 | System Owner/User Discovery | |
| Enterprise | T1087.001 | Local Account Sub-technique | |
| Enterprise | T1008 | Fallback Channels | |
| Enterprise | T1005 | Data from Local System | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | |
| Enterprise | T1095 | Non-Application Layer Protocol | |
| Enterprise | T1055 | Process Injection | |
| Enterprise | T1074.001 | Local Data Staging Sub-technique |
Groups, software, and campaigns
C0016: Operation Dust Storm
Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.[1]
Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 0506573bf7f0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cylance Dust Storm
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
Open source URL -
[2]
mitre-attack S0084Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.