1. Home
  2. Software
  3. DUSTPAN

DUSTPAN

DUSTPAN is an in-memory dropper written in C/C++ used by APT41 since 2021 that decrypts and executes an embedded payload.[1][2]

ID: S1158
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 16 September 2024
Last Modified: 21 September 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 Create or Modify System Process: Windows Service

DUSTPAN can persist as a Windows Service in operations.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

DUSTPAN decodes and decrypts embedded payloads.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

DUSTPAN is often disguised as a legitimate Windows binary such as w3wp.exe or conn.exe.[1]
Enterprise T1027 .009 Obfuscated Files or Information: Embedded Payloads

DUSTPAN decrypts and executes an embedded payload.[1][2]
.013 Obfuscated Files or Information: Encrypted/Encoded File

DUSTPAN decrypts an embedded payload.[1][2]
Enterprise T1055 .002 Process Injection: Portable Executable Injection

DUSTPAN can inject its decrypted payload into another process.[1]

Groups That Use This Software

ID Name References
G0096 APT41

[2][1]

Campaigns

ID Name Description
C0040 APT41 DUST

DUSTPAN was used during APT41 DUST.[1]

References

  1. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  1. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman & John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved September 16, 2024.