SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.[1]

ID: S0663
Associated Software: HyperSSL, Soldier, FOCUSFJORD
Platforms: Windows
Version: 1.0
Created: 29 November 2021
Last Modified: 15 April 2022

Associated Software Descriptions

Name Description






Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

SysUpdate can use a Registry Run key to establish persistence.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

SysUpdate can create a service to establish persistence.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

SysUpdate can deobfuscate packed binaries in memory.[1]

Enterprise T1083 File and Directory Discovery

SysUpdate can search files on a compromised host.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

SysUpdate has the ability to set file attributes to hidden.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

SysUpdate can load DLLs through vulnerable legitimate executables.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

SysUpdate can delete its configuration file from the targeted system.[1]

Enterprise T1105 Ingress Tool Transfer

SysUpdate has the ability to download files to a compromised host.[1]

Enterprise T1112 Modify Registry

SysUpdate can write its configuration file to Software\Classes\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER.[1]

Enterprise T1027 Obfuscated Files or Information

SysUpdate can encrypt and encode its configuration file.[1]

.002 Software Packing

SysUpdate can use packed binaries.[1]

Enterprise T1113 Screen Capture

SysUpdate has the ability to capture screenshots.[1]

Enterprise T1082 System Information Discovery

SysUpdate can determine whether a system has a 32 bit or 64 bit architecture.[1]

Enterprise T1569 .002 System Services: Service Execution

SysUpdate can manage services and processes.[1]

Enterprise T1047 Windows Management Instrumentation

SysUpdate can use WMI for execution on a compromised host.[1]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390