{"description": "Enterprise techniques used by HTTPTroy, ATT&CK software S9007 (v1.0)", "name": "HTTPTroy (S9007)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[HTTPTroy](https://attack.mitre.org/software/S9007) has leveraged the ability to execute commands with system privileges using the `srun  ` command.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[HTTPTroy](https://attack.mitre.org/software/S9007) has used HTTP POST requests to communicate with C2.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[HTTPTroy](https://attack.mitre.org/software/S9007) has the ability to generate a reverse shell using the command `conn  `.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.002", "comment": "[HTTPTroy](https://attack.mitre.org/software/S9007) has obfuscated HTTP POST request communications utilizing XOR with a designated key of 0x56, followed by Base64 encoding.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[HTTPTroy](https://attack.mitre.org/software/S9007) has decoded strings encoded with Base64 and XOR prior to execution.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[HTTPTroy](https://attack.mitre.org/software/S9007) has obfuscated request communications utilizing XOR encryption.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[HTTPTroy](https://attack.mitre.org/software/S9007) has exfiltrated encrypted data over the C2 channel using the `up ` command.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[HTTPTroy](https://attack.mitre.org/software/S9007) can terminate its running process and then remove traces of itself through the `die ` command.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[HTTPTroy](https://attack.mitre.org/software/S9007) has the ability to download files from C2 using the `down ` command.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[HTTPTroy](https://attack.mitre.org/software/S9007) has leveraged Windows Native API calls, including `GetProcAddress` to execute functions in memory.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[HTTPTroy](https://attack.mitre.org/software/S9007) has obfuscated strings using Single Instruction Multiple Data (SIMD) instructions to hinder analysis and detection.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[HTTPTroy](https://attack.mitre.org/software/S9007) has utilized dynamic API resolution by reconstructing API calls during runtime using combinations of arithmetic and logical operations to complicate static analysis.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[HTTPTroy](https://attack.mitre.org/software/S9007) has obtained screen captures leveraging the `screen` command which captures, encrypts and uploads the stolen image to the adversary controlled C2 server.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by HTTPTroy", "color": "#66b1ff"}]}