C0006: Operation Honeybee
Operation Honeybee was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. Operation Honeybee initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign "Honeybee" after the author name discovered in malicious Word documents.[1]
Analyst context for executives and security teams
Operation Honeybee is an ATT&CK campaign describing activity from late 2017 to early 2018 against humanitarian aid and inter-Korean affairs organizations, initially in South Korea and later in several other countries. Its defensive value is less about a current threat claim and more about validating whether the organization can recognize a document-led intrusion that moves from user execution into Windows command-line activity, discovery, registry changes, local staging, tool transfer, command-and-control, and possible exfiltration.
Executive priority
Leaders should treat this as a readiness test for high-risk social-engineering scenarios involving mission-focused lures and sensitive data. The priority questions are: can the business prove it collects enough endpoint, email/document, command-line, registry, service, and network evidence to reconstruct this chain; can incident responders quickly determine whether data was staged or exfiltrated; and are controls around user-opened files, Windows administration utilities, and outbound file-transfer-style traffic auditable enough for compliance and crisis decision-making?
Technical view
ATT&CK provides no campaign-specific detection text and no platform on the campaign object itself. Relationship context, however, links Operation Honeybee to Windows-relevant software and behaviors including cmd, Reg, Tasklist, Systeminfo, SYSCON, malicious files, Visual Basic execution, registry modification, Windows service persistence, process/system/file discovery, local data staging, ingress tool transfer, C2 over file transfer protocols, exfiltration over C2, encoded files, masquerading, decoding, and file deletion. SOC and IR teams should validate chained visibility rather than single indicators: user-opened document or file events followed by script or command-shell execution, discovery utilities, registry/service changes, suspicious file writes or staging directories, tool download/transfer, cleanup, and outbound communications consistent with C2 or file-transfer protocols.
Likely telemetry
- Email security and attachment metadata, especially document delivery and user-open events where available
- Endpoint process creation telemetry with command-line arguments for cmd, tasklist, systeminfo, reg, Visual Basic-related execution, and child processes from document applications
- Windows Registry audit events for added, modified, or removed keys and values
- Windows service creation or modification events, including service binary paths and recovery commands
- File system events for encoded or masqueraded files, dropped tools, local staging locations, and file deletion
Detection direction
- Build detections around behavior chains, not only campaign names or historical indicators, because the ATT&CK object does not provide detection logic.
- Prioritize correlations where a user-opened file is followed by command-shell, Visual Basic, registry, service, discovery, staging, or network transfer activity.
- Tune for legitimate administrative use of cmd, reg, tasklist, and systeminfo; the detection value increases when these utilities execute from unusual parent processes, user contexts, paths, or time windows.
- Validate coverage for masquerading and encoded files by checking whether file names, locations, metadata, and decoded content are captured sufficiently for investigation.
- Review outbound file transfer protocol visibility and whether exfiltration over an existing C2 channel would be distinguishable from normal business traffic.
Mitigation priorities
- Strengthen controls and user safeguards for malicious files, including attachment handling, document execution restrictions, and user reporting workflows.
- Harden and monitor Windows administrative utilities and scripting paths used in the relationship context, especially cmd, reg, Visual Basic execution paths, service creation, and registry modification.
- Ensure endpoint logging captures process command lines, registry changes, service changes, file writes/deletions, and parent-child process relationships needed for reconstruction.
- Restrict and monitor unnecessary outbound file transfer protocols and investigate unusual external transfers from endpoints that recently executed suspicious files or discovery commands.
- Prepare IR playbooks that quickly answer whether sensitive local data was discovered, staged, transferred in, transferred out, or deleted.
Analyst notes and limits
The supplied ATT&CK description identifies targeting of humanitarian aid and inter-Korean affairs organizations from late 2017 through early 2018, with expansion across several countries. Researchers assessed the actors were likely Korean speakers based on metadata in lure documents and executables, but this take does not extend that into attribution beyond the supplied wording. The strongest defensive signal comes from the related techniques and software rather than from campaign-specific detection guidance.
ATT&CK provides no official detection section, no campaign-level tactics, and no campaign-level platforms for this object. Several related techniques list broad platform coverage, but local applicability depends on the environment. Any coverage statement requires validation against the organization’s actual telemetry, controls, retention, and normal administrative behavior.
Operation Honeybee
Operation Honeybee was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. Operation Honeybee initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign "Honeybee" after the author name discovered in malicious Word documents.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1585.002 | Email Accounts Sub-technique | During Operation Honeybee, attackers created email addresses to register for a free account for a control server used for the implants.CitationMcAfee Honeybee |
| Enterprise | T1083 | File and Directory Discovery | During Operation Honeybee, the threat actors used a malicious DLL to search for files with specific keywords.CitationMcAfee Honeybee |
| Enterprise | T1106 | Native API | During Operation Honeybee, the threat actors deployed malware that used API calls, including `CreateProcessAsUser`.CitationMcAfee Honeybee |
| Enterprise | T1070.004 | File Deletion Sub-technique | During Operation Honeybee, the threat actors used batch files that reduced their fingerprint on a compromised system by deleting malware-related files.CitationMcAfee Honeybee |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | During Operation Honeybee, stolen data was copied into a text file using the format `From |
| Enterprise | T1583.001 | Domains Sub-technique | During Operation Honeybee, threat actors registered domains for C2.CitationMcAfee Honeybee |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | During Operation Honeybee, the threat actors used Base64 to encode files with a custom key.CitationMcAfee Honeybee |
| Enterprise | T1553.002 | Code Signing Sub-technique | During Operation Honeybee, the threat actors deployed the MaoCheng dropper with a stolen Adobe Systems digital signature.CitationMcAfee Honeybee |
| Enterprise | T1041 | Exfiltration Over C2 Channel | During Operation Honeybee, the threat actors uploaded stolen files to their C2 servers.CitationMcAfee Honeybee |
| Enterprise | T1112 | Modify Registry | During Operation Honeybee, the threat actors used batch files that modified registry keys.CitationMcAfee Honeybee |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During Operation Honeybee, various implants used batch scripting and `cmd.exe` for execution.CitationMcAfee Honeybee |
| Enterprise | T1082 | System Information Discovery | During Operation Honeybee, the threat actors collected the computer name, OS, and other system information using `cmd /c systeminfo > %temp%\ temp.ini`.CitationMcAfee Honeybee |
| Enterprise | T1569.002 | Service Execution Sub-technique | During Operation Honeybee, threat actors ran |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | During Operation Honeybee, the threat actors uses zip to pack collected files before exfiltration.CitationMcAfee Honeybee |
| Enterprise | T1574.011 | Services Registry Permissions Weakness Sub-technique | During Operation Honeybee, the threat actors used a batch file that modified the COMSysApp service to load a malicious ipnet.dll payload and to load a DLL into the `svchost.exe` process.CitationMcAfee Honeybee |
| Enterprise | T1588.004 | Digital Certificates Sub-technique | For Operation Honeybee, the threat actors stole a digital signature from Adobe Systems to use with their MaoCheng dropper.CitationMcAfee Honeybee |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | During Operation Honeybee, the threat actors had the ability to use FTP for C2.CitationMcAfee Honeybee |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | During Operation Honeybee, the threat actors used the malicious NTWDBLIB.DLL and `cliconfig.exe` to bypass UAC protections.CitationMcAfee Honeybee |
| Enterprise | T1005 | Data from Local System | During Operation Honeybee, the threat actors collected data from compromised hosts.CitationMcAfee Honeybee |
| Enterprise | T1543.003 | Windows Service Sub-technique | During Operation Honeybee, threat actors installed DLLs and backdoors as Windows services.CitationMcAfee Honeybee |
| Enterprise | T1583.004 | Server Sub-technique | For Operation Honeybee, at least one identified persona was used to register for a free account for a control server.CitationMcAfee Honeybee |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | During Operation Honeybee, the threat actors used a legitimate Windows executable and secure directory for their payloads to bypass UAC.CitationMcAfee Honeybee |
| Enterprise | T1204.002 | Malicious File Sub-technique | During Operation Honeybee, threat actors relied on a victim to enable macros within a malicious Word document.CitationMcAfee Honeybee |
| Enterprise | T1105 | Ingress Tool Transfer | During Operation Honeybee, the threat actors downloaded additional malware and malicious scripts onto a compromised host.CitationMcAfee Honeybee |
| Enterprise | T1059.005 | Visual Basic Sub-technique | For Operation Honeybee, the threat actors used a Visual Basic script embedded within a Word document to download an implant.CitationMcAfee Honeybee |
| Enterprise | T1057 | Process Discovery | During Operation Honeybee, the threat actors obtained a list of running processes on a victim machine using `cmd /c tasklist > %temp%\temp.ini`.CitationMcAfee Honeybee |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | During Operation Honeybee, malicious files were decoded prior to execution.CitationMcAfee Honeybee |
| Enterprise | T1036 | Masquerading | During Operation Honeybee, the threat actors modified the MaoCheng dropper so its icon appeared as a Word document.CitationMcAfee Honeybee |
Groups, software, and campaigns
S0464: SYSCON
S0075: Reg
S0057: Tasklist
S0096: Systeminfo
Systeminfo is a Windows utility that can be used to gather detailed information about a computer. [1]
S0106: cmd
cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [1]
Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [2]), deleting files (e.g., del [3]), and copying files (e.g., copy [4]).
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | e91e1bb369de… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
McAfee Honeybee
Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
Open source URL -
[2]
mitre-attack C0006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.