The sub-techniques beta is now live! Read the release blog post for more info.


ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [1]

ID: S0073
Associated Software: ASPXTool
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1100 Web Shell

ASPXSpy is a Web shell. The ASPXTool version used by Threat Group-3390 has been deployed to accessible servers running Internet Information Services (IIS).[1]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390

Threat Group-3390 has used a modified version of ASPXSpy called ASPXTool.[1]

G0014 Night Dragon [2]
G0087 APT39 [3]
G0096 APT41 [4]