PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. [1]

ID: G0068
Contributors: Ryan Becwar
Version: 1.3
Created: 18 April 2018
Last Modified: 22 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1189 Drive-by Compromise

PLATINUM has sometimes used drive-by attacks against vulnerable browser plugins.[1]

Enterprise T1068 Exploitation for Privilege Escalation

PLATINUM has leveraged a zero-day vulnerability to escalate privileges.[1]

Enterprise T1105 Ingress Tool Transfer

PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.[2]

Enterprise T1056 .001 Input Capture: Keylogging

PLATINUM has used several different keyloggers.[1]

.004 Input Capture: Credential API Hooking

PLATINUM is capable of using Windows hook interfaces for information gathering such as credential access.[1]

Enterprise T1036 Masquerading

PLATINUM has renamed rar.exe to avoid detection.[3]

Enterprise T1095 Non-Application Layer Protocol

PLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.[2]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

PLATINUM has used keyloggers that are also capable of dumping credentials.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

PLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector.[1]

Enterprise T1055 Process Injection

PLATINUM has used various methods of process injection including hot patching.[1]

Enterprise T1204 .002 User Execution: Malicious File

PLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.[1]


ID Name References Techniques
S0202 adbupd [1] Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Windows Management Instrumentation Event Subscription
S0200 Dipsind [1] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Winlogon Helper DLL, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Scheduled Transfer
S0201 JPIN [1] Application Layer Protocol: Mail Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Impair Defenses: Disable or Modify Tools, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Obfuscated Files or Information, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection, Query Registry, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery