Skip to content

S0466 WindTail

WindTail is a macOS surveillance implant used by Windshift. WindTail shares code similarities with Hack Back aka KitM OSX.123

Item Value
ID S0466
Associated Names
Version 1.0
Created 04 June 2020
Last Modified 20 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols WindTail has the ability to use HTTP for C2 communications.3
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility WindTail has the ability to use the macOS built-in zip utility to archive files.3
enterprise T1119 Automated Collection WindTail can identify and add files that possess specific file extensions to an array for archiving.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell WindTail can use the open command to execute an application.2
enterprise T1140 Deobfuscate/Decode Files or Information WindTail has the ability to decrypt strings using hard-coded AES keys.2
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol WindTail has the ability to automatically exfiltrate files using the macOS built-in utility /usr/bin/curl.3
enterprise T1083 File and Directory Discovery WindTail has the ability to enumerate the users home directory and the path to its own application bundle.23
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window WindTail can instruct the OS to execute an application without a dock icon or menu.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion WindTail has the ability to receive and execute a self-delete command.3
enterprise T1036 Masquerading WindTail has used icons mimicking MS Office files to mask payloads.2
enterprise T1036.001 Invalid Code Signature WindTail has been incompletely signed with revoked certificates.2
enterprise T1106 Native API WindTail can invoke Apple APIs contentsOfDirectoryAtPath, pathExtension, and (string) compare.3
enterprise T1027 Obfuscated Files or Information WindTail can be delivered as a compressed, encrypted, and encoded payload.3
enterprise T1124 System Time Discovery WindTail has the ability to generate the current date and time.2

Groups That Use This Software

ID Name References
G0112 Windshift 123