S0153: RedLeaves
Analyst context for executives and security teams
RedLeaves is a Windows malware family in ATT&CK associated through relationships with menuPass and overlapping in code with PlugX. Its practical significance is not one single technique, but the combination of post-compromise behaviors ATT&CK links to it: host and network discovery, command execution, persistence through Windows startup mechanisms, credential access from browsers, screen capture, file transfer, cleanup, and web-based command-and-control that may use encryption or non-standard ports.
Executive priority
Treat RedLeaves as a validation case for Windows endpoint resilience and post-compromise visibility. Leadership should ask whether the organization can prove coverage for suspicious autoruns, command-shell activity, browser credential access, file transfer, and abnormal outbound web traffic. Because ATT&CK provides no official detection guidance for this object, confidence should come from local telemetry tests, incident response playbooks, and audit-ready evidence of endpoint, identity, and egress-control monitoring rather than from the malware name alone.
Technical view
SOC and IR teams should validate behavior-based coverage on Windows rather than relying only on family signatures. The relationship set points to discovery via system, user, file, network configuration, and network connection enumeration; execution through Windows Command Shell; persistence through Registry Run Keys, Startup Folder, and Shortcut Modification; DLL abuse; browser credential access; screen capture; ingress tool transfer; file deletion; and command-and-control over web protocols, non-standard ports, and symmetric encryption. Detection engineering should correlate endpoint process, file, registry, module-load, credential-store, and network telemetry into attack chains that distinguish routine administration from unusual post-compromise sequencing.
Likely telemetry
- Windows process creation and command-line logs, especially cmd.exe and discovery utilities
- Registry autorun changes, Startup Folder writes, and shortcut creation or modification events
- File creation, deletion, rename, and staging activity for transferred or encoded/encrypted files
- DLL load events and suspicious DLL placement or execution context
- Browser credential store file access and related endpoint alerts
Detection direction
- Build detections around ATT&CK-related behaviors rather than the RedLeaves name, since official detection text is not provided.
- Correlate discovery commands followed by persistence changes, tool transfer, credential-store access, or outbound web traffic to reduce false positives from legitimate administration.
- Tune autorun, Startup Folder, shortcut, and DLL-abuse detections for known enterprise software installers and management tools.
- Review egress monitoring for web protocols on unexpected ports and encrypted command-and-control patterns, while accounting for legitimate proxies and business applications.
- Confirm Windows endpoint coverage first; related ATT&CK techniques list broader platforms, but this malware object is supplied with Windows as its platform.
Mitigation priorities
- Prioritize reliable Windows endpoint logging and retention for process, registry, file, DLL, and network events.
- Harden and monitor autorun locations, Startup Folders, shortcut execution paths, and DLL loading behavior.
- Limit credential exposure by reducing browser-stored passwords where feasible and monitoring access to browser credential stores.
- Apply least privilege and application control principles to reduce unauthorized command execution, tool transfer, and persistence.
- Enforce egress controls and proxy visibility for outbound web traffic, including review of non-standard protocol and port pairings.
Analyst notes and limits
The ATT&CK object identifies RedLeaves as a malware family used by menuPass, with code overlap with PlugX and possible basis in the open source tool Trochilus. External references include PwC and FireEye reporting from 2017, a BUGJUICE equivalence assessment, and a social media reference. The most useful defensive value is the relationship-driven behavior map, not a static label.
ATT&CK provides no official detection text for RedLeaves, and the object itself has no specified tactics. The malware platform is Windows, while several related techniques have broader platform lists that should not be assumed for this object without local evidence. This take does not assess current exploitation, customer exposure, or detection coverage.
RedLeaves
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | |
| Enterprise | T1574.001 | DLL Sub-technique | |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | RedLeaves can gather browser usernames and passwords.CitationAccenture Hogfish April 2018 |
| Enterprise | T1113 | Screen Capture | |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | |
| Enterprise | T1033 | System Owner/User Discovery | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1571 | Non-Standard Port | |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1049 | System Network Connections Discovery | |
| Enterprise | T1105 | Ingress Tool Transfer |
Groups, software, and campaigns
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | e69364a45113… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
PWC Cloud Hopper Technical Annex April 2017
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
Open source URL -
[2]
FireEye APT10 April 2017
FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
Open source URL -
[3]
BUGJUICE
Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named BUGJUICE by FireEye is likely the same as the malware RedLeaves. (Citation: FireEye APT10 April 2017) (Citation: Twitter Nick Carr APT10)
-
[4]
RedLeaves
(Citation: PWC Cloud Hopper Technical Annex April 2017)
-
[5]
Twitter Nick Carr APT10
Carr, N.. (2017, April 6). Retrieved September 12, 2024.
Open source URL -
[6]
mitre-attack S0153Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.