← threatfilter.dev / all groups / BRONZE BUTLER
BRONZE BUTLER
Also known as: REDBALDKNIGHT · Tick
Overview
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.
Targets
Diplomacy · Engineering · Industrial · Infrastructure · Manufacturing · Media · Political party · Private sector
Regions
China · Japan · Russian Federation · South Korea
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1203
- Custom malware/implant development — ATT&CK: 7 attributed custom malware families
TTPs — 40 techniques across 12 tactics
Resource Development
-
T1588.002Tool
Initial Access
-
T1189Drive-by Compromise -
T1566.001Spearphishing Attachment
Execution
-
T1053.002At -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.005Visual Basic -
T1059.006Python -
T1203Exploitation for Client Execution -
T1204.002Malicious File
Persistence
-
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
-
T1548.002Bypass User Account Control
Stealth
-
T1027.001Binary Padding -
T1027.003Steganography -
T1036Masquerading -
T1036.002Right-to-Left Override -
T1036.005Match Legitimate Resource Name or Location -
T1070.004File Deletion -
T1140Deobfuscate/Decode Files or Information -
T1574.001DLL
Defense Impairment
-
T1685Disable or Modify Tools
Credential Access
-
T1003.001LSASS Memory
Discovery
-
T1007System Service Discovery -
T1018Remote System Discovery -
T1083File and Directory Discovery -
T1087.002Domain Account -
T1124System Time Discovery -
T1518Software Discovery
Lateral Movement
-
T1080Taint Shared Content -
T1550.003Pass the Ticket
Collection
-
T1005Data from Local System -
T1039Data from Network Shared Drive -
T1113Screen Capture -
T1560.001Archive via Utility
Command and Control
-
T1071.001Web Protocols -
T1102.001Dead Drop Resolver -
T1105Ingress Tool Transfer -
T1132.001Standard Encoding -
T1573.001Symmetric Cryptography
Tools & malware (14)
Mimikatz · build_downer · cmd · ABK · at · BBK · schtasks · down_new · Daserf · Net · ShadowPad · Windows Credential Editor · gsecdump · Avenger
Reporting (3)
- Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data — Chen, J. et al
- REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography — Chen, J. and Hsieh, M
- BRONZE BUTLER Targets Japanese Enterprises — Counter Threat Unit Research Team