BRONZE BUTLER
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 1 reports, 68 attack patterns (mitre), 14 malware, 2 sectors, 1 countries, 5 indicators, 1 vulnerabilities (cve), 7 tool
Aliases
REDBALDKNIGHT Tick
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (1)
-
3 MITREs 3 Malwares 1 APTPublished 31/10/2025 02:16 · Modified 31/10/2025 09:23
Attack patterns (MITRE) (68)
-
T1132.001 usesStandard Encoding
-
T1059.005 usesVisual Basic
-
T1033 usesSystem Owner/User Discovery
-
T1567 usesExfiltration Over Web Service
-
T1189 usesDrive-by Compromise
-
T1204.002 usesMalicious File
-
T1199 usesTrusted Relationship
-
T1041 usesExfiltration Over C2 Channel
-
T1132 usesData Encoding
-
T1574 usesHijack Execution Flow
-
T1560.001 usesArchive via Utility
-
T1547.001 usesRegistry Run Keys / Startup Folder
-
T1566.001 usesSpearphishing Attachment
-
T1190 usesExploit Public-Facing Application
-
T1573 usesEncrypted Channel
-
T1059.003 usesWindows Command Shell
-
T1176 usesSoftware Extensions
-
T1518 usesSoftware Discovery
-
T1548.002 usesBypass User Account Control
-
T1105 usesIngress Tool Transfer
-
T1135 usesNetwork Share Discovery
-
T1039 usesData from Network Shared Drive
-
T1573.001 usesSymmetric Cryptography
-
T1036 usesMasquerading
-
T1543 usesCreate or Modify System Process
-
T1059.006 usesPython
-
T1005 usesData from Local System
-
T1569 usesSystem Services
-
At usesT1053.002
-
T1505 usesServer Software Component
-
T1203 usesExploitation for Client Execution
-
T1053.005 usesScheduled Task
-
T1120 usesPeripheral Device Discovery
-
T1570 usesLateral Tool Transfer
-
T1588.002 usesTool
-
Taint Shared Content usesT1080
-
T1550.003 usesPass the Ticket
-
T1057 usesProcess Discovery
-
T1195 usesSupply Chain Compromise
-
T1113 usesScreen Capture
-
T1007 usesSystem Service Discovery
-
T1102.001 usesDead Drop Resolver
-
T1071 usesApplication Layer Protocol
-
T1530 usesData from Cloud Storage
-
T1059.001 usesPowerShell
-
T1036.005 usesMatch Legitimate Resource Name or Location
-
T1021.001 usesRemote Desktop Protocol
-
T1574.001 usesDLL
-
T1016 usesSystem Network Configuration Discovery
-
T1018 usesRemote System Discovery
-
T1036.002 usesRight-to-Left Override
-
T1087.002 usesDomain Account
-
T1133 usesExternal Remote Services
-
T1059 usesCommand and Scripting Interpreter
-
T1082 usesSystem Information Discovery
-
T1140 usesDeobfuscate/Decode Files or Information
-
T1083 usesFile and Directory Discovery
-
T1070.004 usesFile Deletion
-
T1071.001 usesWeb Protocols
-
T1003.001 usesLSASS Memory
-
T1027 usesObfuscated Files or Information
-
T1027.003 usesSteganography
-
T1027.001 usesBinary Padding
-
T1547 usesBoot or Logon Autostart Execution
-
T1562.001 usesDisable or Modify Tools
-
T1124 usesSystem Time Discovery
-
T1055 usesProcess Injection
Malware (14)
-
POISONPLUG.SHADOW usesFamilyPublished 30/04/2026 19:11 · Modified 30/04/2026 19:11
- Tick
-
OAED Loader usesFamilyPublished 31/10/2025 02:16 · Modified 31/10/2025 02:16
- Avenger
- build_downer
-
Havoc usesFamilyPublished 08/06/2026 10:30 · Modified 08/06/2026 10:30
- Daserf
- ShadowPy
-
Gokcpdoor usesFamilyPublished 31/10/2025 02:16 · Modified 31/10/2025 02:16
- ABK
- ReVBShell
- BBK
- down_new
- Netboy
Sectors (2)
- Defense ministries (including the military) targets
- Government targets
Countries (1)
- Japan targets
Indicators (5)
-
http://103.127.124.117/index.htmlindicates -
704e697441c0af67423458a99f30318c57f1a81c4146beb4dd1a88a88a8c97c3indicates -
9e581d0506d2f6ec39226f052a58bc5a020ebc81ae539fa3a6b7fc0db1b94946indicates -
http://softsrobot.com/index.htmlindicates -
3c96c1a9b3751339390be9d7a5c3694df46212fb97ebddc074547c2338a4c7baindicates
Vulnerabilities (CVE) (1)
Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to …
- Published
- 22/10/2025
- Modified
- 21/12/2025
Tool (7)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft …
Published 16/12/2025 19:37 · Modified 27/03/2026 01:07 -
cmd usesThe MITRE Corporation Confidence 100
[cmd](https://attack.mitre.org/software/S0106) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd) Cmd.exe contains native functionality to …
Published 31/05/2017 23:33 · Modified 27/03/2026 01:07 -
at usesThe MITRE Corporation Confidence 100
[at](https://attack.mitre.org/software/S0110) is used to schedule tasks on a system to run at a specified date or time.(Citation: TechNet At)(Citation: Linux at)
Published 16/12/2025 19:37 · Modified 27/03/2026 01:07 -
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of …
Published 16/12/2025 19:37 · Modified 27/03/2026 01:07 -
schtasks usesThe MITRE Corporation Confidence 100
[schtasks](https://attack.mitre.org/software/S0111) is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)
Published 31/05/2017 23:33 · Modified 27/03/2026 01:07 -
gsecdump usesThe MITRE Corporation Confidence 100
[gsecdump](https://attack.mitre.org/software/S0008) is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)
Published 16/12/2025 19:37 · Modified 27/03/2026 01:07 -
The MITRE Corporation Confidence 100
[Windows Credential Editor](https://attack.mitre.org/software/S0005) is a password dumping tool. (Citation: Amplia WCE)
Published 16/12/2025 19:37 · Modified 27/03/2026 01:07