Skip to content

S0134 Downdelph

Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015. 1

Item Value
ID S0134
Associated Names
Version 1.2
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Downdelph bypasses UAC to escalate privileges by using a custom “RedirectEXE” shim database.1
enterprise T1001 Data Obfuscation -
enterprise T1001.001 Junk Data Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Downdelph uses RC4 to encrypt C2 responses.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Downdelph uses search order hijacking of the Windows executable sysprep.exe to escalate privileges.1
enterprise T1105 Ingress Tool Transfer After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.1

Groups That Use This Software

ID Name References
G0007 APT28 12


Back to top