Skip to content

S0280 MirageFox

MirageFox is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. 1

Item Value
ID S0280
Associated Names
Type MALWARE
Version 1.1
Created 17 October 2018
Last Modified 22 July 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell MirageFox has the capability to execute commands using cmd.exe.1
enterprise T1140 Deobfuscate/Decode Files or Information MirageFox has a function for decrypting data containing C2 configuration information.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking MirageFox is likely loaded via DLL hijacking into a legitimate McAfee binary.1
enterprise T1082 System Information Discovery MirageFox can collect CPU and architecture information from the victim’s machine.1
enterprise T1033 System Owner/User Discovery MirageFox can gather the username from the victim’s machine.1

Groups That Use This Software

ID Name References
G0004 Ke3chang 1

References