The sub-techniques beta is now live! Read the release blog post for more info.


Misdat is a backdoor that was used by Dust Storm from 2010 to 2011. [1]

ID: S0083
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

Misdat is capable of providing shell functionality to the attacker to execute commands.[1]

Enterprise T1043 Commonly Used Port

Misdat network traffic communicates over common ports like 80, 443, or 1433.[1]

Enterprise T1094 Custom Command and Control Protocol

Misdat network traffic communicates over a raw socket.[1]

Enterprise T1132 Data Encoding

Misdat network traffic is Base64-encoded plaintext.[1]

Enterprise T1083 File and Directory Discovery

Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.[1]

Enterprise T1107 File Deletion

Misdat is capable of deleting the backdoor file.[1]

Enterprise T1070 Indicator Removal on Host

Misdat is capable of deleting Registry keys used for persistence.[1]

Enterprise T1036 Masquerading

Misdat saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service.[1][2]

Enterprise T1105 Remote File Copy

Misdat is capable of downloading files from the C2.[1]

Enterprise T1095 Standard Non-Application Layer Protocol

Misdat network traffic communicates over a raw socket.[1]

Enterprise T1082 System Information Discovery

The initial beacon packet for Misdat contains the operating system version of the victim.[1]

Enterprise T1099 Timestomp

Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file.[1]

Groups That Use This Software

ID Name References
G0031 Dust Storm [1]