Denis
Denis is a backdoor associated with OceanLotus/APT32, also referred to as SOUNDBITE in the provided content. It is described as implementing DNS tunneling for command-and-control communications. Observed capabilities include Base64-encoding data sent to its server, decrypting strings used for C2 communication, querying Windows Registry keys and values to gather system information, collecting the victim username, gathering the system IP address via ipconfig, launching a remote shell to execute arbitrary commands, deleting files from the victim machine, and anti-debugging through IsDebuggerPresent, OutputDebugString, and SetLastError. The malware has a PowerShell version, including Base64-encoded PowerShell commands. Execution and evasion behaviors noted in the content include dynamic API resolution via LoadLibrary and GetProcAddress, exploitation of a security vulnerability to load a fake DLL and execute its code, and process hollowing using CreateRemoteThread, ResumeThread, and Wow64SetThreadContext. The content places Denis among OceanLotus/APT32 malware and tools, alongside Ratsnif and other implants. High-confidence indicators from the content are behavioral rather than network IOCs: DNS-tunneled C2, Base64-encoded outbound data, registry queries, remote shell functionality, file deletion, fake DLL loading, and process hollowing APIs including Wow64SetThreadContext.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Its well-known tools include Denis (aka SOUNDBITE), implementing DNS tunneling for C&C communications...
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
4 techniques
Execution
Key TTPs: DLL hollowing overwriting memory within legitimate xpsservices.dll system library for silent payload execution under trusted process name, Notion cloud platform as C2 channel embedding instructions within Notion pages, registry persistence and scheduled task creation
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell.
"AppleJeus ... has also used DLL search order hijacking via the IKEEXT service, running with LocalSystem privileges, to load the TAXHAUL DLL for persistence." / "APT41 ... has used search order hijacking to execute malicious payloads" / "Cinnamon Tempest has used search order hijacking to launch Cobalt Strike Beacons."
Persistence
2 techniques
Persistence
Key TTPs: DLL hollowing overwriting memory within legitimate xpsservices.dll system library for silent payload execution under trusted process name, Notion cloud platform as C2 channel embedding instructions within Notion pages, registry persistence and scheduled task creation
Privilege Escalation
4 techniques
Privilege Escalation
Key TTPs: DLL hollowing overwriting memory within legitimate xpsservices.dll system library for silent payload execution under trusted process name, Notion cloud platform as C2 channel embedding instructions within Notion pages, registry persistence and scheduled task creation
Stealth
8 techniques
Stealth
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
"Denis ... used the Wow64SetThreadContext API as part of a process hollowing process"; "DarkGate can call kernel mode functions directly to hide the use of process hollowing methods"
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
DLL hollowing overwriting memory within legitimate xpsservices.dll system library for silent payload execution under trusted process name
"AppleJeus ... has also used DLL search order hijacking via the IKEEXT service, running with LocalSystem privileges, to load the TAXHAUL DLL for persistence." / "APT41 ... has used search order hijacking to execute malicious payloads" / "Cinnamon Tempest has used search order hijacking to launch Cobalt Strike Beacons."
Discovery
6 techniques
Discovery
The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Command and Control
3 techniques
Command and Control
Notion cloud platform as C2 channel embedding instructions within Notion pages
Recent activity
24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor used by OceanLotus that implements DNS tunneling for command-and-control communications.
Backdoor listed as part of the OceanLotus malware toolkit used in campaigns targeting Chinese entities.
Backdoor with a PowerShell-based variant.
Malware that encodes its PowerShell commands in Base64.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.