C0012: Operation CuckooBees
Operation CuckooBees was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of Operation CuckooBees, which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed Operation CuckooBees was conducted by actors affiliated with Winnti Group, APT41, and BARIUM.[1]
Analyst context for executives and security teams
Operation CuckooBees matters because the ATT&CK record describes a long-running cyber espionage campaign focused on technology and manufacturing organizations and likely aimed at stealing proprietary information, R&D documents, source code, and blueprints. For leaders, the decision value is not only “who did it,” but whether the organization can prove it would notice credential access, domain and host discovery, stealthy command execution, persistence through scheduled tasks, and collection from local systems before sensitive intellectual property is staged or removed.
Executive priority
Prioritize this as an intellectual property and operational resilience scenario for technology, manufacturing, engineering, and supply-chain environments. Executives should ask whether crown-jewel repositories, engineering workstations, build systems, file shares, and Active Directory are covered by usable telemetry and response playbooks. The ATT&CK relationships point to identity abuse, credential access, discovery, stealth, persistence, command-and-control over web protocols, and local data collection, making this relevant to incident readiness, IAM control validation, SOC detection quality, and compliance evidence around access monitoring and protection of sensitive data.
Technical view
ATT&CK does not provide a campaign-level detection section, so defenders should validate coverage through the related software and techniques. The relationship set includes Windows and Active Directory-relevant behaviors such as dsquery, Systeminfo, SAM credential access, Windows Command Shell, Visual Basic, scheduled tasks, domain account abuse, account/group discovery, and multiple host/network discovery techniques. SOC and IR teams should test whether they can correlate discovery bursts, unusual command-line activity, scheduled task creation or modification, credential-access indicators involving SAM material, domain account anomalies, suspicious use of administrative utilities, web-protocol C2-like traffic, and access to sensitive local files or repositories.
Likely telemetry
- Endpoint process creation and command-line logging, especially for command shell, Visual Basic-related execution, systeminfo, dsquery, account/group enumeration, service discovery, and file/directory discovery
- Windows security events and endpoint telemetry related to SAM access, local account activity, domain account use, and privilege context
- Active Directory logs for domain account enumeration, dsquery-like activity, unusual LDAP/query patterns, and anomalous domain account authentication
- Scheduled task creation, modification, execution, and related registry or system event records
- File access telemetry for sensitive local data, engineering files, source code locations, blueprints, R&D documents, and high-value file shares where available
Detection direction
- Build detections around behavior chains rather than single utilities: discovery commands followed by credential access, scheduled task persistence, domain account use, and sensitive file access should be higher priority than isolated administrative commands.
- Tune for false positives from administrators, IT automation, inventory tools, and server management activity; baseline expected use of systeminfo, dsquery, account/group enumeration, service queries, and scheduled tasks by role and host group.
- Validate visibility into Active Directory and identity telemetry, because the relationship set includes domain account abuse and domain account discovery; endpoint-only monitoring may miss the context needed to distinguish legitimate administration from suspicious reconnaissance.
- Review whether command obfuscation and masquerading reduce current detection quality; simple string matching may be insufficient when commands are encoded, renamed, or placed in trusted-looking locations.
- Confirm monitoring covers both host and network discovery, including process, service, network configuration, network connection, remote system, peripheral, file, and directory discovery behaviors.
Mitigation priorities
- Start with crown-jewel mapping: identify systems and repositories holding proprietary information, R&D documents, source code, and blueprints, then confirm logging, access controls, and response ownership for those assets.
- Harden identity and Active Directory controls: reduce unnecessary domain privileges, monitor privileged and service accounts, and review domain account authentication patterns for unusual use.
- Limit credential exposure on endpoints by enforcing least privilege, protecting local administrator access, and monitoring access to SAM-related credential material.
- Control and audit scheduled task usage, command shell execution, scripting activity, and administrative utilities without blocking legitimate operations blindly.
- Improve endpoint and network telemetry retention so IR teams can reconstruct discovery, persistence, credential access, and collection sequences across hosts.
Analyst notes and limits
The campaign description states targeting of technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019, with activity reported as ongoing as of May 2022. Researchers assessed affiliation with Winnti Group, APT41, and BARIUM, but this take treats that as source-provided assessment rather than independent attribution. Relationship context is especially useful here because the campaign object itself has no specified platforms, tactics, or detection text.
No official detection guidance is provided for the campaign object, and the campaign-level platforms and tactics are not specified. Telemetry and control recommendations are inferred only from the supplied ATT&CK relationships and official description; local validation is required to determine actual exposure, logging coverage, and detection effectiveness. The supplied fields do not support claiming current activity, customer exposure, guaranteed detection, or confirmed exploitation in any specific environment.
Operation CuckooBees
Operation CuckooBees was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of Operation CuckooBees, which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed Operation CuckooBees was conducted by actors affiliated with Winnti Group, APT41, and BARIUM.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1120 | Peripheral Device Discovery | During Operation CuckooBees, the threat actors used the `fsutil fsinfo drives` command as part of their advanced reconnaissance.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1018 | Remote System Discovery | During Operation CuckooBees, the threat actors used the `net view` and `ping` commands as part of their advanced reconnaissance.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1543.003 | Windows Service Sub-technique | During Operation CuckooBees, the threat actors modified the `IKEEXT` and `PrintNotify` Windows services for persistence.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | During Operation CuckooBees, the threat actors used the Makecab utility to compress and a version of WinRAR to create password-protected archives of stolen data prior to exfiltration.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1133 | External Remote Services | During Operation CuckooBees, the threat actors enabled WinRM over HTTP/HTTPS as a backup persistence mechanism using the following command: `cscript //nologo "C:\Windows\System32\winrm.vbs" set winrm/config/service@{EnableCompatibilityHttpsListener="true"}`.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1083 | File and Directory Discovery | During Operation CuckooBees, the threat actors used `dir c:\\` to search for files.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1082 | System Information Discovery | During Operation CuckooBees, the threat actors used the `systeminfo` command to gather details about a compromised system.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1124 | System Time Discovery | During Operation CuckooBees, the threat actors used the `net time` command as part of their advanced reconnaissance.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | During Operation CuckooBees, the threat actors used compromised domain administrator credentials as part of their lateral movement.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | During Operation CuckooBees, the threat actors used `ipconfig`, `nbtstat`, `tracert`, `route print`, and `cat /etc/hosts` commands.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1201 | Password Policy Discovery | During Operation CuckooBees, the threat actors used the `net accounts` command as part of their advanced reconnaissance.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | For Operation CuckooBees, the threat actors obtained publicly-available JSP code that was used to deploy a webshell onto a compromised server.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | During Operation CuckooBees, the threat actors renamed a malicious executable to `rundll32.exe` to allow it to blend in with other Windows system files.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1087.001 | Local Account Sub-technique | During Operation CuckooBees, the threat actors used the `net user` command to gather account information.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1033 | System Owner/User Discovery | During Operation CuckooBees, the threat actors used the `query user` and `whoami` commands as part of their advanced reconnaissance.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | During Operation CuckooBees, the threat actors executed an encoded VBScript file.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1087.002 | Domain Account Sub-technique | During Operation CuckooBees, the threat actors used the `dsquery` and `dsget` commands to get domain environment information and to query users in administrative groups.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | During Operation CuckooBees, the threat actors used scheduled tasks to execute batch scripts for lateral movement with the following command: `SCHTASKS /Create /S |
| Enterprise | T1190 | Exploit Public-Facing Application | During Operation CuckooBees, the threat actors exploited multiple vulnerabilities in externally facing servers.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1069.001 | Local Groups Sub-technique | During Operation CuckooBees, the threat actors used the `net group` command as part of their advanced reconnaissance.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | During Operation CuckooBees, the threat actors stroed payloads in Windows CLFS (Common Log File System) transactional logs.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During Operation CuckooBees, the threat actors used batch scripts to perform reconnaissance.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1505.003 | Web Shell Sub-technique | During Operation CuckooBees, the threat actors generated a web shell within a vulnerable Enterprise Resource Planning Web Application Server as a persistence mechanism.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | During Operation CuckooBees, the threat actors leveraged a custom tool to dump OS credentials and used following commands: `reg save HKLM\\SYSTEM system.hiv`, `reg save HKLM\\SAM sam.hiv`, and `reg save HKLM\\SECURITY security.hiv`, to dump SAM, SYSTEM and SECURITY hives.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | During Operation CuckooBees, the threat actors enabled HTTP and HTTPS listeners.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1049 | System Network Connections Discovery | During Operation CuckooBees, the threat actors used the `net session`, `net use`, and `netstat` commands as part of their advanced reconnaissance.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | During Operation CuckooBees, the threat actors executed an encoded VBScript file using `wscript` and wrote the decoded output to a text file.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1135 | Network Share Discovery | During Operation CuckooBees, the threat actors used the `net share` command as part of their advanced reconnaissance.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1574.001 | DLL Sub-technique | During Operation CuckooBees, the threat actors used the legitimate Windows services `IKEEXT` and `PrintNotify` to side-load malicious DLLs.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1057 | Process Discovery | During Operation CuckooBees, the threat actors used the `tasklist` command as part of their advanced reconnaissance.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1547.006 | Kernel Modules and Extensions Sub-technique | During Operation CuckooBees, attackers used a signed kernel rootkit to establish additional persistence.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1007 | System Service Discovery | During Operation CuckooBees, the threat actors used the `net start` command as part of their initial reconnaissance.CitationCybereason OperationCuckooBees May 2022 |
| Enterprise | T1005 | Data from Local System | During Operation CuckooBees, the threat actors collected data, files, and other information from compromised networks.CitationCybereason OperationCuckooBees May 2022 |
Groups, software, and campaigns
S0105: dsquery
dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. [1] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.
S0096: Systeminfo
Systeminfo is a Windows utility that can be used to gather detailed information about a computer. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 9f48d5ffdee7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason OperationCuckooBees May 2022
Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
Open source URL -
[2]
mitre-attack C0012Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.