S0696: Flagpro
Analyst context for executives and security teams
Flagpro matters because ATT&CK describes it as a Windows first-stage downloader associated with follow-on discovery, persistence, command-and-control, tool transfer, and possible data collection/exfiltration behaviors. For leaders, the key decision is not whether one malware name is present, but whether email, endpoint, registry, and web egress controls can expose an early foothold before it becomes broader intrusion activity.
Executive priority
Prioritize validation where business disruption would be highest: Windows endpoints receiving attachments, users with access to sensitive local or shared data, and networks where outbound web traffic is weakly monitored. The ATT&CK description notes historical use against defense, media, and communications companies in Japan, so organizations with similar sector, geography, or partner exposure should ensure incident response playbooks can rapidly answer: how did the file execute, what persistence was created, what discovery ran, and whether data moved over web-based C2.
Technical view
Treat Flagpro coverage as a Windows intrusion-chain validation exercise. ATT&CK provides no official detection text, so SOC teams should map detections to the relationships: spearphishing attachment and malicious file execution; Windows command shell, Visual Basic, and Native API execution; Registry Run Keys/Startup Folder persistence; local user/group, process, window, network, remote system, and share discovery; obfuscation/masquerading/indicator removal; web-protocol C2 with standard encoding; ingress tool transfer; local data collection; and scheduled or C2-channel exfiltration. Because several related techniques have broader platform metadata, keep this object’s implementation scope constrained to the supplied Windows malware platform unless local evidence shows otherwise.
Likely telemetry
- Email gateway and attachment metadata, including sender, recipient, attachment type, detonation results, and user interaction where available
- Endpoint process creation telemetry with command line, parent/child process relationships, script interpreter activity, and module/API-related signals where collected
- Windows registry and startup folder change events, especially Run key creation or modification
- File creation, rename, deletion, and download events that can support obfuscation, masquerading, ingress transfer, and indicator-removal review
- Endpoint discovery evidence: user/group queries, process listings, network configuration and connection queries, remote host discovery, and network share enumeration
Detection direction
- Validate chained analytics rather than relying on a single malware signature: attachment execution followed by script or command shell activity, discovery commands, persistence writes, and outbound web traffic is more decision-useful than any one event alone.
- Tune discovery detections for context. Administrative tools can legitimately enumerate processes, users, network connections, and shares; raise priority when these occur from unusual parent processes, recently delivered files, uncommon users, or shortly before outbound transfers.
- Confirm whether registry Run key and startup folder auditing is enabled on Windows endpoints; this is a common blind spot for persistence triage.
- Review web egress visibility. Standard encoding and HTTP/S-based C2 can blend with normal traffic, so proxy/DNS logs, destination reputation, request periodicity, and endpoint-to-network correlation are important.
- Account for sparse official detection guidance. Detection engineering should be validated through local telemetry tests and incident retrospectives, not assumed from ATT&CK mapping alone.
Mitigation priorities
- Reduce initial execution risk through attachment filtering, safe handling controls, user reporting workflows, and restrictions on high-risk file types where operationally feasible.
- Harden Windows endpoints by limiting unnecessary script and command interpreter use, enforcing least privilege, and monitoring or controlling startup persistence locations.
- Strengthen egress governance: route outbound web traffic through monitored control points, restrict unnecessary direct Internet access, and retain sufficient proxy/DNS metadata for investigations.
- Review local administrator exposure and local group membership because discovery of users and groups can help an intruder identify higher-value accounts.
- Prepare IR runbooks that collect process trees, registry persistence, recently created files, outbound destinations, and data access evidence from affected Windows systems before evidence is lost.
Analyst notes and limits
This take is based on the supplied ATT&CK S0696 object, its external NTT Security reference, and the listed relationships. The most operationally useful context comes from the relationships: Flagpro is not just a downloader label; it is mapped to behaviors spanning initial access, execution, persistence, discovery, defense evasion, command-and-control, collection, transfer, and exfiltration-related activity.
ATT&CK provides no official detection guidance for this object, no aliases in the supplied fields, and no object-level tactics. The description supports Windows as the platform and historical use by BlackTech since at least October 2020, primarily against defense, media, and communications companies in Japan; it does not by itself prove current activity, local exposure, or detection coverage in any environment.
Flagpro
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
Groups, software, and campaigns
G0098: BlackTech
BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 679422ac9ec1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NTT Security Flagpro new December 2021
Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
Open source URL -
[2]
mitre-attack S0696Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.