ATT&CKcon 6.0 is coming October 14-15 in McLean, VA and live online. To potentially join us on stage, submit to our CFP by July 9th

SHOTPUT

SHOTPUT is a custom backdoor used by APT3. ^[1]

ID: S0063

ⓘ

Associated Software: Backdoor.APT.CookieCutter, Pirpi

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 25 April 2025

Version Permalink

Live Version

Associated Software Descriptions

Name	Description
Backdoor.APT.CookieCutter	^[2]
Pirpi	^[2]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1087	.001	Account Discovery: Local Account	SHOTPUT has a command to retrieve information about connected users.^[3]
Enterprise	T1083		File and Directory Discovery	SHOTPUT has a command to obtain a directory listing.^[3]
Enterprise	T1027		Obfuscated Files or Information	SHOTPUT is obscured using XOR encoding and appended to a valid GIF file.^[1]^[3]
Enterprise	T1057		Process Discovery	SHOTPUT has a command to obtain a process listing.^[3]
Enterprise	T1018		Remote System Discovery	SHOTPUT has a command to list all servers in the domain, as well as one to locate domain controllers on a domain.^[3]
Enterprise	T1049		System Network Connections Discovery	SHOTPUT uses netstat to list TCP connection status.^[3]

Groups That Use This Software

ID	Name	References
G0022	APT3	^[1]

References

Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.

Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.