Home
Software
SysUpdate

SysUpdate

SysUpdate is a backdoor written in C++ that has been used byThreat Group-3390 since at least 2020.^[1]

ID: S0663

ⓘ

Associated Software: HyperSSL, Soldier, FOCUSFJORD

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows, Linux

Version: 1.3

Created: 29 November 2021

Last Modified: 21 October 2025

Version Permalink

Live Version

Associated Software Descriptions

Name	Description
HyperSSL	^[1]
Soldier	^[1]
FOCUSFJORD	^[1]

Enterprise Layer

download view

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.004	Application Layer Protocol:DNS	SysUpdate has used DNS TXT requests as for its C2 communication.^[2]
Enterprise	T1547	.001	Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder	SysUpdate can use a Registry Run key to establish persistence.^[1]
Enterprise	T1543	.002	Create or Modify System Process:Systemd Service	SysUpdate can copy a script to the user owned`/usr/lib/systemd/system/` directory with a symlink mapped to a`root` owned directory,`/etc/ystem/system`, in the unit configuration file's`ExecStart` directive to establish persistence and elevate privileges.^[2]
		.003	Create or Modify System Process:Windows Service	SysUpdate can create a service to establish persistence.^[1]
Enterprise	T1132	.001	Data Encoding:Standard Encoding	SysUpdate has used Base64 to encode its C2 traffic.^[2]
Enterprise	T1005		Data from Local System	SysUpdate can collect information and files from a compromised host.^[2]
Enterprise	T1140		Deobfuscate/Decode Files or Information	SysUpdate can deobfuscate packed binaries in memory.^[1]
Enterprise	T1573	.001	Encrypted Channel:Symmetric Cryptography	SysUpdate has used DES to encrypt all C2 communications.^[2]
Enterprise	T1041		Exfiltration Over C2 Channel	SysUpdate has exfiltrated data over its C2 channel.^[2]
Enterprise	T1083		File and Directory Discovery	SysUpdate can search files on a compromised host.^[1]^[2]
Enterprise	T1564	.001	Hide Artifacts:Hidden Files and Directories	SysUpdate has the ability to set file attributes to hidden.^[1]
Enterprise	T1574	.001	Hijack Execution Flow:DLL	SysUpdate can load DLLs through vulnerable legitimate executables.^[1]
Enterprise	T1070	.004	Indicator Removal:File Deletion	SysUpdate can delete its configuration file from the targeted system.^[1]
Enterprise	T1105		Ingress Tool Transfer	SysUpdate has the ability to download files to a compromised host.^[1]^[2]
Enterprise	T1680		Local Storage Discovery	SysUpdate can collect a system's drive information.^[1]^[2]
Enterprise	T1036	.004	Masquerading:Masquerade Task or Service	SysUpdate has named their unit configuration file similarly to other unit files residing in the same directory,`/usr/lib/systemd/system/`, to appear benign.^[2]
Enterprise	T1112		Modify Registry	SysUpdate can write its configuration file to`Software\Classes\scConfig` in either`HKEY_LOCAL_MACHINE` or`HKEY_CURRENT_USER`.^[1]
Enterprise	T1106		Native API	SysUpdate can call the`GetNetworkParams` API as part of its C2 establishment process.^[2]
Enterprise	T1027	.002	Obfuscated Files or Information:Software Packing	SysUpdate has been packed with VMProtect.^[1]^[2]
		.011	Obfuscated Files or Information:Fileless Storage	SysUpdate can store its encoded configuration file within`Software\Classes\scConfig` in either`HKEY_LOCAL_MACHINE` or`HKEY_CURRENT_USER`.^[1]
		.013	Obfuscated Files or Information:Encrypted/Encoded File	SysUpdate can encrypt and encode its configuration file.^[1]
Enterprise	T1057		Process Discovery	SysUpdate can collect information about running processes.^[2]
Enterprise	T1113		Screen Capture	SysUpdate has the ability to capture screenshots.^[1]
Enterprise	T1553	.002	Subvert Trust Controls:Code Signing	SysUpdate has been signed with stolen digital certificates.^[2]
Enterprise	T1082		System Information Discovery	SysUpdate can collect a system's architecture, operating system version, and hostname.^[1]^[2]
Enterprise	T1016		System Network Configuration Discovery	SysUpdate can collected the IP address and domain name of a compromised host.^[2]
		.001	Internet Connection Discovery	SysUpdate can contact the DNS server operated by Google as part of its C2 establishment process.^[2]
Enterprise	T1033		System Owner/User Discovery	SysUpdate can collect the username from a compromised host.^[2]
Enterprise	T1007		System Service Discovery	SysUpdate can collect a list of services on a victim machine.^[2]
Enterprise	T1569	.002	System Services:Service Execution	SysUpdate can manage services and processes.^[1]
Enterprise	T1047		Windows Management Instrumentation	SysUpdate can use WMI for execution on a compromised host.^[1]

Groups That Use This Software

ID	Name	References
G0027	Threat Group-3390	^[1]

References

Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.

Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.