Skip to content

S0068 httpclient

httpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. 1

Item Value
ID S0068
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols httpclient uses HTTP for command and control.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell httpclient opens cmd.exe on the victim.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography httpclient encrypts C2 content with XOR using a single byte, 0x12.1

Groups That Use This Software

ID Name References
G0024 Putter Panda 1


Back to top