1. Home
  2. Software
  3. UPPERCUT

UPPERCUT

UPPERCUT is a 32-bit HTTP-based backdoor that has been used by menuPass since at least 2017.[1] Once thought to be exclusive to menuPass, UPPERCUT was also observed being used by menuPass-associated MirrorFace during Operation AkaiRyū.[2]

ID: S0275
Associated Software: ANEL
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 17 October 2018
Last Modified: 12 May 2026

Associated Software Descriptions

Name Description
ANEL

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

UPPERCUT contains functionality to bypass UAC.[3][2]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

UPPERCUT has used HTTP for C2, including sending error codes in cookie headers.[1][2][4]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

UPPERCUT uses cmd.exe to execute commands on the victim’s machine.[1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

UPPERCUT can base64 encode C2 communications.[2]
Enterprise T1005 Data from Local System

UPPERCUT can upload files to the C2 from infected machines.[3][2]
Enterprise T1678 Delay Execution

UPPERCUT can use a sleep function to delay execution.[3][2]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Some versions of UPPERCUT have used the hard-coded string "this is the encrypt key" for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address.[1] UPPERCUT has also used custom ChaCha20, XOR, and LZO algorithms for C2 communication.[3][2]
Enterprise T1083 File and Directory Discovery

UPPERCUT has the capability to gather the victim's current directory.[1]
Enterprise T1574 .001 Hijack Execution Flow: DLL

UPPERCUT has been sideloaded through a legitimately signed application from the JustSystems Corporation.[4]
Enterprise T1105 Ingress Tool Transfer

UPPERCUT can download and upload files to and from the victim’s machine.[1][3][2]
Enterprise T1113 Screen Capture

UPPERCUT can capture desktop screenshots in the PNG format and send them to the C2 server.[1][3][2][4]
Enterprise T1082 System Information Discovery

UPPERCUT has the capability to gather the system’s hostname and OS version.[1][2]
Enterprise T1016 System Network Configuration Discovery

UPPERCUT has the capability to gather the victim's proxy information.[1]
Enterprise T1033 System Owner/User Discovery

UPPERCUT has the capability to collect the current logged on user’s username from a machine.[1]
Enterprise T1124 System Time Discovery

UPPERCUT has the capability to obtain the time zone information and the current timestamp of the victim’s machine.[1]

Groups That Use This Software

ID Name References
G0045 menuPass

menuPass has used UPPERCUT during operations.[1]
G1054 MirrorFace

[3][2][4]

Campaigns

ID Name Description
C0060 Operation AkaiRyū

During Operation AkaiRyū, MirrorFace used UPPERCUT.[2][4]

References

  1. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  2. Hiroaki, H. (2024, November 26). Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024. Retrieved April 17, 2026.
  1. Hiroaki, H. (2025, April 30). Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan. Retrieved April 17, 2026.
  2. Dominik Breitenbacher. (2025, March 18). Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.