Skip to content


TDTESS is a 64-bit .NET binary backdoor used by CopyKittens. 1

Item Value
ID S0164
Associated Names
Version 1.1
Created 16 January 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell TDTESS provides a reverse shell on the victim.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service If running as administrator, TDTESS installs itself as a new service named bmwappushservice to establish persistence.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion TDTESS creates then deletes log files during installation of itself as a service.1
enterprise T1070.006 Timestomp After creating a new service for persistence, TDTESS sets the file creation time for the service to the creation time of the victim’s legitimate svchost.exe file.1
enterprise T1105 Ingress Tool Transfer TDTESS has a command to download and execute an additional file.1

Groups That Use This Software

ID Name References
G0052 CopyKittens 1


Back to top