Skip to content

S0026 GLOOXMAIL

GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic. 1

Item Value
ID S0026
Associated Names
Type MALWARE
Version 1.2
Created 31 May 2017
Last Modified 28 August 2024
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.005 Publish/Subscribe Protocols GLOOXMAIL communicates to servers operated by Google using the Jabber/XMPP protocol for C2.2
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication GLOOXMAIL communicates to servers operated by Google using the Jabber/XMPP protocol.13

Groups That Use This Software

ID Name References
G0006 APT1 1

References

  1. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. 

  2. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. 

  3. CyberESI. (2011). TROJAN.GTALK. Retrieved September 12, 2024.