{"description": "Enterprise techniques used by Fooder, ATT&CK software S9033 (v1.0)", "name": "Fooder (S9033)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.001", "comment": "[Fooder](https://attack.mitre.org/software/S9033)\u202fhas used the `DuplicateTokenEx` API to duplicate the token of a specified process, and `CreateProcessAsUserA` to execute its payload.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f\u202f\u202f", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1678", "comment": "[Fooder](https://attack.mitre.org/software/S9033) has used a custom delay function\u202f(`delayExecution(integer)`)\u202fand Sleep API calls\u202f(`Sleep(integer)`)\u202fto slow code\u202fexecution.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Fooder](https://attack.mitre.org/software/S9033)\u202fhas decrypted payloads using the\u202fWinCrypt\u202fAPI and the AES\u202fkey.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Fooder](https://attack.mitre.org/software/S9033) has frequently masqueraded as the Snake game, using strings such as \u201cWelcome to snake Game\u201d and mutexes such as \u201cSNAKE_G.\u201d(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Fooder](https://attack.mitre.org/software/S9033) has used the WinCrypt API for payload decryption, `DuplicateTokenEx` to duplicate the token of a specified process, and `CreateProcessAsUserA` for payload execution.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f\u202f\u202f\u202f\u202f", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Fooder](https://attack.mitre.org/software/S9033) has stored its embedded payload in encrypted form within the binary, using a hardcoded key modified at runtime to produce the AES decryption key.(Citation: ESET_MuddyWater_Dec2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1620", "comment": "[Fooder](https://attack.mitre.org/software/S9033)\u202fhas reflectively loaded a payload into\u202fmemory.(Citation: ESET_MuddyWater_Dec2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Fooder", "color": "#66b1ff"}]}