Skip to content

S0459 MechaFlounder

MechaFlounder is a python-based remote access tool (RAT) that has been used by APT39. The payload uses a combination of actor developed code and code snippets freely available online in development communities.1

Item Value
ID S0459
Associated Names
Version 1.0
Created 27 May 2020
Last Modified 28 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols MechaFlounder has the ability to use HTTP in communication with C2.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell MechaFlounder has the ability to run commands on a compromised host.1
enterprise T1059.006 Python MechaFlounder uses a python-based payload.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding MechaFlounder has the ability to use base16 encoded strings in C2.1
enterprise T1041 Exfiltration Over C2 Channel MechaFlounder has the ability to send the compromised user’s account name and hostname within a URL to C2.1
enterprise T1105 Ingress Tool Transfer MechaFlounder has the ability to upload and download files to and from a compromised host.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location MechaFlounder has been downloaded as a file named lsass.exe, which matches the legitimate Windows file.1
enterprise T1033 System Owner/User Discovery MechaFlounder has the ability to identify the username and hostname on a compromised host.1

Groups That Use This Software

ID Name References
G0087 APT39 1