TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. [1]

ID: S0131
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1020 Automated Exfiltration When a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server.[1]
Enterprise T1083 File and Directory Discovery TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.[1]
Enterprise T1027 Obfuscated Files or Information TINYTYPHON has used XOR with 0x90 to obfuscate its configuration file.[1]
Enterprise T1060 Registry Run Keys / Startup Folder TINYTYPHON installs itself under Registry Run key to establish persistence.[1]


Groups that use this software: