Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actors

Potato suite

Potato Suite is a collection of privilege-escalation tools referenced in reporting on multiple China-linked intrusion sets. In the provided content, it is used to attempt escalation to SYSTEM privileges on compromised Windows hosts, including during attacks against Microsoft IIS servers. ReliaQuest reported that the China-linked espionage cluster OP-512 used Potato Suite in post-compromise privilege-escalation attempts after deploying web shells on legacy IIS environments, including a Windows Server 2016 system with an outdated .NET Framework. Palo Alto Networks Unit 42 and related reporting also list Potato Suite among the common tools used by the Chinese state-sponsored actor Phantom Taurus alongside China Chopper and Impacket. The content does not provide specific module names, infection vectors, or standalone indicators of compromise for Potato Suite itself.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
OP-512

OP-512 also attempts privilege escalation to the SYSTEM level using the Potato Suite.

via scworldscworld.com
Phantom Taurus

“The group uses common Chinese nation-state hacking tools such as the China Chopper web shell, Potato suite and Impacket...”

via bank info securitybankinfosecurity.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique
T1068Exploitation for Privilege EscalationEvidence2
TacticPrivilege Escalation

OP-512 also attempts privilege escalation to the SYSTEM level using the Potato Suite.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
scworldNews
Jun 5, 2026
New China-linked threat cluster OP-512 targets Microsoft IIS servers | brief | SC Media

A post-exploitation privilege escalation toolkit used to elevate access to SYSTEM on compromised Windows hosts.

Read more
ctoatncsc substackNews
Oct 4, 2025
CTO at NCSC Summary: week ending October 5th

Collection of Windows privilege-escalation tools referenced as used by Phantom Taurus.

Read more
bank info securityNews
Sep 30, 2025
China's 'Phantom Taurus' Hacks Middle East

Collection of Windows privilege-escalation tools (commonly leveraging token/impersonation techniques) used post-compromise to elevate privileges.

Read more
govinfosecurityNews
Sep 30, 2025
China's 'Phantom Taurus' Hacks Middle East

Collection of Windows privilege-escalation tools (commonly leveraging token/impersonation techniques) used post-compromise to elevate privileges.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.