Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0435: PLEAD

PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.[1][2] PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two. PLEAD was observed in use as early as March 2017.[3][2]

EnterpriseS0435MalwareObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

PLEAD is a Windows remote access tool and downloader documented by ATT&CK as used by BlackTech in targeted attacks in East Asia, including Taiwan, Japan, and Hong Kong. Its practical significance is not just the malware name: the mapped behaviors combine user-driven execution, discovery, credential access, tool transfer, command-and-control over web protocols, proxying, encryption, junk data, and file deletion. That mix can challenge organizations that rely only on basic endpoint alerts or perimeter web filtering.

Executive priority

Treat PLEAD as a validation case for whether Windows endpoint, web, identity, and incident response controls can withstand a targeted RAT/downloader workflow. Leaders should ask whether the organization can prove coverage for malicious links/files, suspicious command shell and native API execution, credential access from browser/password stores, unusual outbound web/proxy traffic, and post-activity cleanup. This is especially relevant for resilience planning, audit evidence, and incident decision-making where targeted intrusion scenarios are in scope.

Technical view

For SOC and detection engineering teams, coverage should be assessed across the mapped ATT&CK relationships rather than only against a malware signature. Validate visibility for Windows execution via command shell and native API behavior, discovery of processes/windows/files, credential access involving browser or password store artifacts, downloaded tools/files, file deletion, and C2 patterns using web protocols, proxying, symmetric encryption, and junk data. Because ATT&CK provides no official detection text for this malware object, local analytic quality depends on correlating endpoint activity with network and identity evidence.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • Parent-child process relationships involving command shell execution
  • File creation, download, modification, and deletion events
  • Browser credential store and password store access indicators where defensible and privacy-approved
  • Process, window, file, and directory enumeration activity

Detection direction

  • Do not depend on a PLEAD-specific signature alone; test behavior-based analytics for the related techniques.
  • Correlate user-driven execution events with follow-on discovery, file transfer, credential access, and outbound web/proxy communications.
  • Tune command shell detections to account for legitimate administrative activity while retaining suspicious context such as unusual parent processes, rare destinations, or execution from user-writable paths.
  • Review whether encrypted or padded web traffic could bypass simplistic content inspection; focus on metadata, destination patterns, proxy behavior, and endpoint correlation.
  • Validate that file deletion events are retained long enough to support incident reconstruction.

Mitigation priorities

  • Prioritize hardened user-execution controls for malicious links and files, including attachment/link handling and user-risk reduction programs.
  • Strengthen Windows endpoint monitoring and response for command shell execution, discovery activity, file transfer, credential-store access, and cleanup behavior.
  • Limit credential exposure by reducing saved browser credentials where appropriate and enforcing least privilege and strong identity controls.
  • Constrain outbound traffic through managed egress paths and review proxy/web logging retention and inspection policy.
  • Prepare incident response playbooks that collect endpoint, web/proxy, DNS, and identity evidence together for RAT/downloader investigations.
Analyst notes and limits

The supplied ATT&CK object identifies PLEAD as a Windows RAT and downloader associated with BlackTech reporting and provides relationship mappings to multiple ATT&CK techniques. The most useful defensive value comes from testing coverage across those relationships: execution, discovery, credential access, command-and-control, ingress tool transfer, proxy use, encryption, junk data, and file deletion.

ATT&CK does not provide official detection guidance for this malware object, and the supplied fields do not include indicators, hashes, infrastructure, specific procedures, or guaranteed detection logic. Local risk depends on the organization’s Windows estate, exposure to relevant targeting, telemetry retention, endpoint controls, web/proxy architecture, and identity practices.

Official MITRE ATT&CK definition

PLEAD

PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.[1][2] PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two. PLEAD was observed in use as early as March 2017.[3][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

15 rows
Domain ID Name Relationship / procedure
Enterprise T1071.001 Web Protocols Sub-technique

PLEAD has used HTTP for communications with command and control (C2) servers.[2][1]
Enterprise T1059.003 Windows Command Shell Sub-technique

PLEAD has the ability to execute shell commands on the compromised host.[2]
Enterprise T1555 Credentials from Password Stores

PLEAD has the ability to steal saved passwords from Microsoft Outlook.CitationESET PLEAD Malware July 2018
Enterprise T1090 Proxy

PLEAD has the ability to proxy network communications.[2]
Enterprise T1204.002 Malicious File Sub-technique

PLEAD has been executed via malicious e-mail attachments.[1]
Enterprise T1083 File and Directory Discovery

PLEAD has the ability to list drives and files on the compromised host.[1][2]
Enterprise T1001.001 Junk Data Sub-technique

PLEAD samples were found to be highly obfuscated with junk code.CitationESET PLEAD Malware July 2018[1]
Enterprise T1105 Ingress Tool Transfer

PLEAD has the ability to upload and download files to and from an infected host.[2]
Enterprise T1070.004 File Deletion Sub-technique

PLEAD has the ability to delete files on the compromised host.[1]
Enterprise T1204.001 Malicious Link Sub-technique

PLEAD has been executed via malicious links in e-mails.[1]
Enterprise T1106 Native API

PLEAD can use `ShellExecute` to execute applications.[1]
Enterprise T1057 Process Discovery

PLEAD has the ability to list processes on the compromised host.[1]
Enterprise T1010 Application Window Discovery

PLEAD has the ability to list open windows on the compromised host.[1][1]
Enterprise T1573.001 Symmetric Cryptography Sub-technique

PLEAD has used RC4 encryption to download modules.[2]
Enterprise T1555.003 Credentials from Web Browsers Sub-technique

PLEAD can harvest saved credentials from browsers such as Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox.[1]CitationESET PLEAD Malware July 2018
Associated objects

Groups, software, and campaigns

Group Enterprise

G0098: BlackTech

BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[1][2][3]

Relationship explorer

All related ATT&CK context

uses · Group G0098: BlackTech Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1555: Credentials from Password Stores Enterprise uses · Technique T1090: Proxy Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1001.001: Junk Data Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1204.001: Malicious Link Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1010: Application Window Discovery Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1555.003: Credentials from Web Browsers Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
46a72f744758a120...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 46a72f744758…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    TrendMicro BlackTech June 2017

    Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.

    Open source URL
  2. [2]
    JPCert PLEAD Downloader June 2018

    Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.

    Open source URL
  3. [3]
    JPCert TSCookie March 2018

    Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.

    Open source URL
  4. [4]
    PLEAD

    PLEAD derived its name from letters used in backdoor commands in intrusion campaigns.(Citation: Trend Micro PLEAD RTLO)(Citation: TrendMicro BlackTech June 2017)

  5. [5]
    Trend Micro PLEAD RTLO

    Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019.

    Open source URL
  6. [6]
    mitre-attack S0435
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use