The sub-techniques beta is now live! Read the release blog post for more info.


Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. [1] [2]

ID: S0187
Associated Software: Muirim, Nioupale
Platforms: Windows
Version: 1.0
Created: 16 January 2018
Last Modified: 17 October 2018

Associated Software Descriptions

Name Description
Muirim [1]
Nioupale [1]

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing

Some Daserf samples were signed with a stolen digital certificate.[3]

Enterprise T1059 Command-Line Interface

Daserf can execute shell commands.[1][2]

Enterprise T1003 Credential Dumping

Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.[3]

Enterprise T1002 Data Compressed

Daserf hides collected data in password-protected .rar archives.[3]

Enterprise T1132 Data Encoding

Daserf uses custom base64 encoding to obfuscate HTTP traffic.[2]

Enterprise T1022 Data Encrypted

Daserf hides collected data in password-protected .rar archives.[3]

Enterprise T1001 Data Obfuscation

Daserf can use steganography to hide malicious code downloaded to the victim.[1]

Enterprise T1066 Indicator Removal from Tools

Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.[1]

Enterprise T1056 Input Capture

Daserf can log keystrokes.[1][2]

Enterprise T1036 Masquerading

Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.[3]

Enterprise T1027 Obfuscated Files or Information

Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.[1]

Enterprise T1105 Remote File Copy

Daserf can download remote files.[1][2]

Enterprise T1113 Screen Capture

Daserf can take screenshots.[1][2]

Enterprise T1045 Software Packing

A version of Daserf uses the MPRESS packer.[1]

Enterprise T1071 Standard Application Layer Protocol

Daserf uses HTTP for C2.[2]

Enterprise T1032 Standard Cryptographic Protocol

Daserf uses RC4 encryption to obfuscate HTTP traffic.[2]

Groups That Use This Software

ID Name References
G0060 BRONZE BUTLER [1] [3]