Skip to content

S0131 TINYTYPHON

TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. 1

Item Value
ID S0131
Type MALWARE
Version 1.0
Created 31 May 2017
Last Modified 17 October 2018
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1020 Automated Exfiltration When a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder TINYTYPHON installs itself under Registry Run key to establish persistence.1
enterprise T1083 File and Directory Discovery TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.1
enterprise T1027 Obfuscated Files or Information TINYTYPHON has used XOR with 0x90 to obfuscate its configuration file.1

Groups That Use This Software

ID Name References
G0040 Patchwork 1

References