The sub-techniques beta is now live! Read the release blog post for more info.


DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware. [1]

ID: S0186
Platforms: Windows
Version: 1.0
Created: 16 January 2018
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

DownPaper uses the command line.[1]

Enterprise T1086 PowerShell

DownPaper uses PowerShell for execution.[1]

Enterprise T1012 Query Registry

DownPaper searches and reads the value of the Windows Update Registry Run key.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

DownPaper uses PowerShell to add a Registry Run key in order to establish persistence.[1]

Enterprise T1071 Standard Application Layer Protocol

DownPaper communicates to its C2 server over HTTP.[1]

Enterprise T1082 System Information Discovery

DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.[1]

Enterprise T1033 System Owner/User Discovery

DownPaper collects the victim username and sends it to the C2 server.[1]

Groups That Use This Software

ID Name References
G0058 Charming Kitten [1]