Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Command and Control/ T1102.001

T1102.001Dead Drop Resolver

T1102.001 — Dead Drop Resolver is a MITRE ATT&CK technique in the Command and Control tactic. Clankerusecase tracks 10 detection use cases covering it and 8 threat-intel articles citing it.

Command and Control
View on the matrix → Filter Detection Library MITRE official spec ↗
10Use cases
8Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1102 · Web Service

Use cases covering this technique (10)

[LLM] VS Code/Cursor extension host fetches dropper from nrwl/nx orphan commit on GitHub Bespoke install · hunting DSΣPDDCS [LLM] macOS Python backdoor persistence via kitty-monitor LaunchAgent and cat.py drop Bespoke install · alerting DSΣPDDCS [LLM] Outbound fetch of attacker-controlled autoimport VSIX from ColossusQuailPray GitHub release Bespoke delivery · alerting DSΣPDD [LLM] node.exe contacting Solana JSON-RPC endpoints (suspected blockchain dead-drop C2) Bespoke c2 · hunting DSPDDCS [LLM] ForceMemo: Python process queries Solana mainnet RPC endpoint (blockchain dead-drop C2) Bespoke c2 · alerting DSΣPDD [LLM] GlassWorm Solana blockchain dead-drop C2 lookup via public RPC endpoints from Node Bespoke c2 · hunting DSΣPDDCS [LLM] VSCode-family host fetching from raw.githubusercontent.com/BlokTrooper/extension path Bespoke delivery · hunting DSΣPDDCS [LLM] DRILLAPP C2 staging: msedge.exe contacting pastefy.app Bespoke c2 · alerting DSΣPDDCS [LLM] Inbound email with HTML attachment linking to unpkg.com Beamglea package Bespoke delivery · alerting DSP [LLM] Beamglea mad-* dead-drop fetch from raw.githubusercontent.com/Abassdos2992 Bespoke c2 · alerting DSΣPDDCS

Articles citing this technique (8)

crit The Wild West of VS Code extensions and how a poisoned extension breached GitHub art-236
high GlassWorm goes native: New Zig dropper infects every IDE on your machine art-405
high Malicious npm Releases Found in Popular React Native Packages - 130K+ Monthly Downloads Compromised art-432
crit ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push art-434
crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458
crit fast-draft Open VSX Extension Compromised by BlokTrooper art-459
high DRILLAPP: new backdoor targeting Ukrainian entities with possible links to Laundry Bear art-470
crit Phishing Campaign Leveraging the NPM Ecosystem art-754