Skip to content

S1041 Chinoxy

Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.1

Item Value
ID S1041
Associated Names
Version 1.0
Created 21 September 2022
Last Modified 10 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Chinoxy has established persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key and by loading a dropper to (%COMMON_ STARTUP%\\eoffice.exe).1
enterprise T1140 Deobfuscate/Decode Files or Information The Chinoxy dropping function can initiate decryption of its config file.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Chinoxy can use a digitally signed binary (“Logitech Bluetooth Wizard Host Process”) to load its dll into memory.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Chinoxy has used the name eoffice.exe in attempt to appear as a legitimate file.1
enterprise T1027 Obfuscated Files or Information Chinoxy has encrypted its configuration file.1