TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. [1]

ID: S0131
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1020 Automated Exfiltration

When a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

TINYTYPHON installs itself under Registry Run key to establish persistence.[1]

Enterprise T1083 File and Directory Discovery

TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.[1]

Enterprise T1027 Obfuscated Files or Information

TINYTYPHON has used XOR with 0x90 to obfuscate its configuration file.[1]

Groups That Use This Software

ID Name References
G0040 Patchwork