Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0501: PipeMon

PipeMon is a multi-stage modular backdoor used by Winnti Group.[1]

EnterpriseS0501MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

PipeMon matters because ATT&CK describes it as a Windows, multi-stage modular backdoor associated through relationships with Winnti Group and a broad set of persistence, stealth, discovery, privilege-escalation, and command-and-control behaviors. For leaders, the decision value is not the malware name alone; it is whether Windows monitoring can prove when a backdoor persists, hides in legitimate-looking resources, loads modules, modifies registry or services, and maintains alternate encrypted communications.

Executive priority

Prioritize PipeMon as a resilience and assurance test case for Windows endpoint visibility, privileged execution controls, service/registry governance, and outbound network monitoring. Because ATT&CK provides no official detection text for this malware, executives should ask for evidence-based coverage against the related techniques rather than relying on a malware signature claim.

Technical view

SOC and IR teams should validate coverage against the ATT&CK relationships: Windows service and print processor persistence, registry modification, DLL/shared module loading, DLL injection, token-based process creation, parent PID spoofing, UAC bypass, discovery of system/network/process/security software details, tool ingress, and encrypted or fallback command-and-control. Treat this as behavior-led validation: correlate endpoint, identity, registry, service-control, module-load, file-transfer, and network telemetry rather than depending on a single PipeMon indicator.

Likely telemetry

  • Windows endpoint process creation and parent/child process metadata
  • DLL and shared module load events, including unusual loads by service or spooler-related processes
  • Windows Registry modification events, especially persistence-related keys and print processor configuration areas
  • Windows service creation or modification events
  • Token use, impersonation, integrity-level changes, and privileged process creation evidence where available

Detection direction

  • Validate behavior detections mapped to the related techniques instead of relying on ATT&CK-provided PipeMon detection guidance, because none is supplied.
  • Tune for combinations of persistence plus stealth, such as service or print processor changes followed by unusual DLL loading, registry modification, or suspicious parent process lineage.
  • Review false positives from legitimate administration, software deployment, printer management, signed software, and security tooling before escalating alerts.
  • Look for discovery behavior occurring near privilege-escalation or C2-like network activity, since individual discovery commands or API calls may be benign in isolation.
  • Confirm visibility into encrypted and fallback outbound channels through metadata, destinations, timing, and protocol anomalies; content inspection alone may be insufficient.

Mitigation priorities

  • Start with Windows hardening for least privilege, controlled administrative rights, and UAC policy review because related behaviors include privilege escalation and token-based process creation.
  • Restrict and monitor service creation, registry persistence locations, and print processor changes using change control and alerting.
  • Use application control, trusted signing policy, and verification of code-signing trust where feasible, while recognizing signed code can still be abused.
  • Harden endpoint detection coverage for DLL injection, shared module loading, obfuscated or encoded files, and fileless storage indicators.
  • Enforce egress controls and monitor outbound protocols to reduce the reliability of fallback, non-application-layer, and encrypted C2 communications.
Analyst notes and limits

The relationship context ties PipeMon to Winnti Group and to multiple ATT&CK techniques across command-and-control, discovery, execution, persistence, privilege escalation, stealth, and defense impairment. The group description notes Chinese origins, activity since at least 2010, heavy targeting of the gaming industry, and expanded targeting scope; use that as threat-intelligence context, not as proof of local exposure.

ATT&CK lists PipeMon as Windows malware but provides no official detection text, no aliases, and no malware-level tactics. This take is therefore derived from the official description, external references, and supplied relationships. Local telemetry, asset criticality, and confirmed indicators are required to determine exposure or detection coverage.

Official MITRE ATT&CK definition

PipeMon

PipeMon is a multi-stage modular backdoor used by Winnti Group.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

23 rows
Domain ID Name Relationship / procedure
Enterprise T1134.002 Create Process with Token Sub-technique

PipeMon can attempt to gain administrative privileges using token impersonation.[1]
Enterprise T1082 System Information Discovery

PipeMon can collect and send OS version and computer name as a part of its C2 beacon.[1]
Enterprise T1112 Modify Registry

PipeMon has modified the Registry to store its encrypted payload.[1]
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

PipeMon modules are stored encrypted on disk.[1]
Enterprise T1105 Ingress Tool Transfer

PipeMon can install additional modules via C2 commands.[1]
Enterprise T1055.001 Dynamic-link Library Injection Sub-technique

PipeMon can inject its modules into various processes using reflective DLL loading.[1]
Enterprise T1547.012 Print Processors Sub-technique

The PipeMon installer has modified the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors to install PipeMon as a Print Processor.[1]
Enterprise T1095 Non-Application Layer Protocol

The PipeMon communication module can use a custom protocol based on TLS over TCP.[1]
Enterprise T1548.002 Bypass User Account Control Sub-technique

PipeMon installer can use UAC bypass techniques to install the payload.[1]
Enterprise T1057 Process Discovery

PipeMon can iterate over the running processes to find a suitable injection target.[1]
Enterprise T1124 System Time Discovery

PipeMon can send time zone information from a compromised host to C2.[1]
Enterprise T1573.001 Symmetric Cryptography Sub-technique

PipeMon communications are RC4 encrypted.[1]
Enterprise T1134.004 Parent PID Spoofing Sub-technique

PipeMon can use parent PID spoofing to elevate privileges.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

PipeMon can decrypt password-protected executables.[1]
Enterprise T1106 Native API

PipeMon's first stage has been executed by a call to CreateProcess with the decryption password in an argument. PipeMon has used a call to LoadLibrary to load its installer.[1]
Enterprise T1027.011 Fileless Storage Sub-technique

PipeMon has stored its encrypted payload in the Registry under `HKLM\SOFTWARE\Microsoft\Print\Components\`.[1]
Enterprise T1543.003 Windows Service Sub-technique

PipeMon can establish persistence by registering a malicious DLL as an alternative Print Processor which is loaded when the print spooler service starts.[1]
Enterprise T1553.002 Code Signing Sub-technique

PipeMon, its installer, and tools are signed with stolen code-signing certificates.[1]
Enterprise T1008 Fallback Channels

PipeMon can switch to an alternate C2 domain when a particular date has been reached.[1]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

PipeMon modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.[1]
Enterprise T1016 System Network Configuration Discovery

PipeMon can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon.[1]
Enterprise T1518.001 Security Software Discovery Sub-technique

PipeMon can check for the presence of ESET and Kaspersky security software.[1]
Enterprise T1129 Shared Modules

PipeMon has used call to LoadLibrary to load its installer. PipeMon loads its modules using reflective loading or custom shellcode.[1]
Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

uses · Technique T1134.002: Create Process with Token Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Group G0044: Winnti Group Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1055.001: Dynamic-link Library Injection Enterprise uses · Technique T1547.012: Print Processors Enterprise uses · Technique T1095: Non-Application Layer Protocol Enterprise uses · Technique T1548.002: Bypass User Account Control Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1124: System Time Discovery Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1134.004: Parent PID Spoofing Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1027.011: Fileless Storage Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1553.002: Code Signing Enterprise uses · Technique T1008: Fallback Channels Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1518.001: Security Software Discovery Enterprise uses · Technique T1129: Shared Modules Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
bb2e04cf330d7002...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle bb2e04cf330d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ESET PipeMon May 2020

    Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.

    Open source URL
  2. [2]
    mitre-attack S0501
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use