Register to stream ATT&CKcon 2.0 October 29-30


TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. [1]

ID: S0131
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1020 Automated Exfiltration When a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server. [1]
Enterprise T1083 File and Directory Discovery TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions. [1]
Enterprise T1027 Obfuscated Files or Information TINYTYPHON has used XOR with 0x90 to obfuscate its configuration file. [1]
Enterprise T1060 Registry Run Keys / Startup Folder TINYTYPHON installs itself under Registry Run key to establish persistence. [1]

Groups That Use This Software

ID Name References
G0040 Patchwork [1]