DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).[1]

ID: S1052
Platforms: Windows
Version: 1.0
Created: 20 December 2022
Last Modified: 07 April 2023

Associated Software Descriptions

Name Description




Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

DEADEYE can run cmd /c copy /y /b C:\Users\public\syslog_6-*.dat C:\Users\public\syslog.dll to combine separated sections of code into a single DLL prior to execution.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

DEADEYE has the ability to combine multiple sections of a binary which were broken up to evade detection into a single .dll prior to execution.[1]

Enterprise T1480 Execution Guardrails

DEADEYE can ensure it executes only on intended systems by identifying the victim's volume serial number, hostname, and/or DNS domain.[1]

Enterprise T1564 .004 Hide Artifacts: NTFS File Attributes

The DEADEYE.EMBED variant of DEADEYE can embed its payload in an alternate data stream of a local file.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

DEADEYE has used schtasks /change to modify scheduled tasks including \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared.[1]

Enterprise T1106 Native API

DEADEYE can execute the GetComputerNameA and GetComputerNameExA WinAPI functions.[1]

Enterprise T1027 Obfuscated Files or Information

DEADEYE has encrypted its payload.[1]

.009 Embedded Payloads

The DEADEYE.EMBED variant of DEADEYE has the ability to embed payloads inside of a compiled binary.[1]

Enterprise T1053 Scheduled Task/Job

DEADEYE has used the scheduled tasks \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared to establish persistence.[1]

Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

DEADEYE can use msiexec.exe for execution of malicious DLL.[1]

.011 System Binary Proxy Execution: Rundll32

DEADEYE can use rundll32.exe for execution of living off the land binaries (lolbin) such as SHELL32.DLL.[1]

Enterprise T1082 System Information Discovery

DEADEYE can enumerate a victim computer's volume serial number and host name.[1]

Enterprise T1016 System Network Configuration Discovery

DEADEYE can discover the DNS domain name of a targeted system.[1]

Groups That Use This Software

ID Name References
G0096 APT41



ID Name Description
C0017 C0017