Skip to content


DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).1

Item Value
ID S1052
Version 1.0
Created 20 December 2022
Last Modified 07 April 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell DEADEYE can run cmd /c copy /y /b C:\Users\public\syslog_6-*.dat C:\Users\public\syslog.dll to combine separated sections of code into a single DLL prior to execution.1
enterprise T1140 Deobfuscate/Decode Files or Information DEADEYE has the ability to combine multiple sections of a binary which were broken up to evade detection into a single .dll prior to execution.1
enterprise T1480 Execution Guardrails DEADEYE can ensure it executes only on intended systems by identifying the victim’s volume serial number, hostname, and/or DNS domain.1
enterprise T1564 Hide Artifacts -
enterprise T1564.004 NTFS File Attributes The DEADEYE.EMBED variant of DEADEYE can embed its payload in an alternate data stream of a local file.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service DEADEYE has used schtasks /change to modify scheduled tasks including \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared.1
enterprise T1106 Native API DEADEYE can execute the GetComputerNameA and GetComputerNameExA WinAPI functions.1
enterprise T1027 Obfuscated Files or Information DEADEYE has encrypted its payload.1
enterprise T1027.009 Embedded Payloads
The DEADEYE.EMBED variant of DEADEYE has the ability to embed payloads inside of a compiled binary.1
enterprise T1053 Scheduled Task/Job DEADEYE has used the scheduled tasks \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared
to establish persistence.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec DEADEYE can use msiexec.exe for execution of malicious DLL.1
enterprise T1218.011 Rundll32 DEADEYE can use rundll32.exe for execution of living off the land binaries (lolbin) such as SHELL32.DLL.1
enterprise T1082 System Information Discovery DEADEYE can enumerate a victim computer’s volume serial number and host name.1
enterprise T1016 System Network Configuration Discovery DEADEYE can discover the DNS domain name of a targeted system.1

Groups That Use This Software

ID Name References
G0096 APT41 1