Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.[1]

ID: S1041
Platforms: Windows
Version: 1.0
Created: 21 September 2022
Last Modified: 10 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Chinoxy has established persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key and by loading a dropper to (%COMMON_ STARTUP%\\eoffice.exe).[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

The Chinoxy dropping function can initiate decryption of its config file.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Chinoxy can use a digitally signed binary ("Logitech Bluetooth Wizard Host Process") to load its dll into memory.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Chinoxy has used the name eoffice.exe in attempt to appear as a legitimate file.[1]

Enterprise T1027 Obfuscated Files or Information

Chinoxy has encrypted its configuration file.[1]


ID Name Description
C0007 FunnyDream

During FunnyDream, Chinoxy was used to gain persistence and deploy other malware components.[1]