1. Home
  2. Software
  3. THINCRUST

THINCRUST

THINCRUST is a Python-based backdoor tool that has been used by UNC3886 since at least 2023.[1]

ID: S1223
Type: MALWARE
Platforms: Network Devices
Version: 1.0
Created: 16 June 2025
Last Modified: 16 June 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

THINCRUST can use HTTP POST requests in C2 communications.[1]
Enterprise T1059 .006 Command and Scripting Interpreter: Python

THINCRUST can use Python scripts for command execution.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

THINCRUST can deobfuscate RSA encrypted C2 commands received through the DEVICEID cookie.[1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

THINCRUST can process RSA encryted C2 commands.[1]
Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

THINCRUST can use the Django python module "django.views.decorators.csrf" along with the decorator "csrf_exempt" within victim firewalls to disable cross-site request forgery protections.[1]

Groups That Use This Software

ID Name References
G1048 UNC3886

[1]

References

  1. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.