DOWNIISSA

DOWNIISSA is a shellcode downloader that has been used by MirrorFace since at least 2022 to deploy payloads, including the LODEINFO backdoor.^[1]

ID: S9021

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Contributors: Dominik Breitenbacher, ESET

Version: 1.0

Created: 17 April 2026

Last Modified: 24 April 2026

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1140		Deobfuscate/Decode Files or Information	DOWNIISSA can decode strings prior to execution.^[1]
Enterprise	T1070	.004	Indicator Removal: File Deletion	DOWNIISSA can delete files after download.^[1]
Enterprise	T1105		Ingress Tool Transfer	DOWNIISSA can download files to the compromised host.^[1]
Enterprise	T1106		Native API	DOWNIISSA can use the `URLDownloadToFileA()` API to download from remote resources.^[1]
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	DOWNIISSA code is base64 encoded and XOR encrypted.^[1]
Enterprise	T1055		Process Injection	DOWNIISSA can inject shellcode directly into process memory including WINWORD.exe and msiexec.exe.^[1]
Enterprise	T1218	.007	System Binary Proxy Execution: Msiexec	DOWNIISSA can create an instance of msiexec.exe and inject LODEINFO shellcode into the memory of the process.^[1]

ID	Name	References
G1054	MirrorFace	DOWNIISSA has been used by MirrorFace to download LODEINFO.^[1]