Skip to content


LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations. 1

Item Value
ID S0042
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols LOWBALL command and control occurs via HTTPS over port 443.1
enterprise T1105 Ingress Tool Transfer LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication LOWBALL uses the Dropbox cloud storage service for command and control.1

Groups That Use This Software

ID Name References
G0018 admin@338 1


Back to top