Skip to main content
Mallory
Back to malware
Malware

Microcin

Microcin is a Trojan malware family associated in the provided content with the Chinese-speaking threat actor SixLittleMonkeys. Kaspersky described it as a Trojan used exclusively by SixLittleMonkeys, and reported an active campaign in which the group used a new version of Microcin together with a RAT named HawkEye as a last stager. The content also links Microcin to activity related to the ExCone/DexCone cluster and notes that the same broader actor targeted Russian government institutions and later Russian educational institutions via spear-phishing campaigns. Microcin is specifically cited by Securelist as one of multiple malware families that use steganography. In the MoonBounce investigation, Kaspersky found Microcin in the same victim environment as the MoonBounce UEFI implant and other malware, but stated that the connection between Microcin and MoonBounce was only low confidence. High-confidence behavioral details beyond its classification as a Trojan and its use of steganography are not provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
codebyNews
Jun 5, 2026
Стеганография в вредоносном ПО: APT-техники и детект

Семейство вредоносного ПО, упомянутое как использующее стеганографию для сокрытия данных или коммуникаций.

Read more
securelistNews
Nov 28, 2024
Kaspersky report on APT trends in Q3 2024 | Securelist

Trojan described as used exclusively by SixLittleMonkeys.

Read more
securelistNews
Jan 20, 2022
MoonBounce: the dark side of UEFI firmware | Securelist

Additional implant observed in the same environment with timeline overlap suggesting a low-confidence relationship/shared resources with the MoonBounce/ScrambleCross activity; noted similarity in scheduling logic between Microcin and MoonBounce’s user-mode stager.

Read more
securelistNews
Aug 1, 2019
APT trends report Q2 2019

Trojan used in espionage campaigns, often as an initial stage loader.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.