{"description": "Enterprise techniques used by UPPERCUT, ATT&CK software S0275 (v2.0)", "name": "UPPERCUT (S0275)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) contains functionality to bypass UAC.(Citation: Trend Micro Earth Kasha Updates APR 2025)(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) has used HTTP for C2, including sending error codes in cookie headers.(Citation: FireEye APT10 Sept 2018)(Citation: Trend Micro Earth Kasha Anel NOV 2024)(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) uses cmd.exe to execute commands on the victim\u2019s machine.(Citation: FireEye APT10 Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) can base64 encode C2 communications.(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) can upload files to the C2 from infected machines.(Citation: Trend Micro Earth Kasha Updates APR 2025)(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1678", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) can use a sleep function to delay execution.(Citation: Trend Micro Earth Kasha Updates APR 2025)(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "Some versions of [UPPERCUT](https://attack.mitre.org/software/S0275) have used the hard-coded string \u201cthis is the encrypt key\u201d for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address.(Citation: FireEye APT10 Sept 2018) [UPPERCUT](https://attack.mitre.org/software/S0275) has also used custom ChaCha20, XOR, and LZO algorithms for C2 communication.(Citation: Trend Micro Earth Kasha Updates APR 2025)(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) has the capability to gather the victim's current directory.(Citation: FireEye APT10 Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) has been sideloaded through a legitimately signed application from the JustSystems Corporation.(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) can download and upload files to and from the victim\u2019s machine.(Citation: FireEye APT10 Sept 2018)(Citation: Trend Micro Earth Kasha Updates APR 2025)(Citation: Trend Micro Earth Kasha Anel NOV 2024)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) can capture desktop screenshots in the PNG format and send them to the C2 server.(Citation: FireEye APT10 Sept 2018)(Citation: Trend Micro Earth Kasha Updates APR 2025)(Citation: Trend Micro Earth Kasha Anel NOV 2024)(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) has the capability to gather the system\u2019s hostname and OS version.(Citation: FireEye APT10 Sept 2018)(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) has the capability to gather the victim's proxy information.(Citation: FireEye APT10 Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) has the capability to collect the current logged on user\u2019s username from a machine.(Citation: FireEye APT10 Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) has the capability to obtain the time zone information and the current timestamp of the victim\u2019s machine.(Citation: FireEye APT10 Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by UPPERCUT", "color": "#66b1ff"}]}