DUSTPAN

DUSTPAN is an in-memory dropper written in C/C++ used by APT41 since 2021 that decrypts and executes an embedded payload.[1][2]

ID: S1158
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 16 September 2024
Last Modified: 21 September 2024

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 Create or Modify System Process: Windows Service

DUSTPAN can persist as a Windows Service in operations.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

DUSTPAN decodes and decrypts embedded payloads.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

DUSTPAN is often disguised as a legitimate Windows binary such as w3wp.exe or conn.exe.[1]

Enterprise T1027 .009 Obfuscated Files or Information: Embedded Payloads

DUSTPAN decrypts and executes an embedded payload.[1][2]

.013 Obfuscated Files or Information: Encrypted/Encoded File

DUSTPAN decrypts an embedded payload.[1][2]

Enterprise T1055 .002 Process Injection: Portable Executable Injection

DUSTPAN can inject its decrypted payload into another process.[1]

Groups That Use This Software

ID Name References
G0096 APT41

[2][1]

Campaigns

ID Name Description
C0040 APT41 DUST

DUSTPAN was used during APT41 DUST.[1]

References