G0060: BRONZE BUTLER
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]
Analyst context for executives and security teams
BRONZE BUTLER is an ATT&CK group entry for a long-running cyber espionage actor described by MITRE as likely Chinese in origin and primarily focused on Japanese organizations, especially government, biotechnology, electronics manufacturing, and industrial chemistry. The business relevance is not a single exploit; it is the pattern of espionage tradecraft tied to credential theft, Windows command-line administration, scheduled execution, backdoors/downloaders, data discovery, and stealth techniques. Organizations with similar sector, geography, supplier, or partner exposure should use this entry to validate whether identity, endpoint, and network monitoring can support an investigation if comparable behaviors appear.
Executive priority
Treat this as a resilience and intelligence-prioritization signal, not proof of exposure. Leadership should ask whether high-value intellectual property, government-facing operations, manufacturing environments, and Japan-connected business units have sufficient credential protection, endpoint visibility, network-share governance, and incident response evidence retention. Budget decisions should prioritize controls that reduce credential dumping risk, detect suspicious use of native administration tools, and preserve logs needed to prove whether data access or staging occurred.
Technical view
ATT&CK does not provide a dedicated detection section for this group, so SOC and IR teams should pivot from the relationships. BRONZE BUTLER is linked to Windows-focused credential dumping tools such as Mimikatz, Windows Credential Editor, and gsecdump; native utilities such as cmd, Net, at, and schtasks; backdoors/downloaders including Daserf, ABK, BBK, build_downer, down_new, Avenger, and ShadowPad; and techniques including LSASS Memory, local and network-share data collection, system service and remote system discovery, masquerading, RTLO, binary padding, and steganography. Validate whether detections correlate suspicious process execution, credential-access indicators, scheduled task creation, discovery commands, unusual access to shares, and anomalous files or media used for concealment.
Likely telemetry
- Windows endpoint process creation and command-line logging for cmd, net, at, schtasks, service discovery, and remote system discovery activity
- Security events and EDR telemetry related to LSASS access, credential dumping tools, suspicious handle access, memory dumping, or abnormal credential material access
- Scheduled task creation, modification, and execution logs
- Service enumeration and system discovery command activity
- File creation, rename, metadata, path, and extension telemetry to support masquerading, RTLO, binary padding, and suspicious placement analysis
Detection direction
- Prioritize behavior-based analytics over hashes because the relationship set includes public tools, native Windows utilities, masquerading, padding, and steganography that can weaken simple signature matching.
- Tune for suspicious combinations: credential access followed by discovery, scheduled execution, network-share browsing, or outbound downloader/backdoor activity from the same host or account.
- Establish baselines for legitimate administrative use of cmd, Net, at, and schtasks; false positives are likely where IT operations use these tools routinely.
- Validate that LSASS access detections include both known tools and generic suspicious access patterns, not only named malware families.
- Review whether file and email/security tooling can surface RTLO characters, deceptive filenames, oversized padded binaries, and unexpected media files used in workflows where steganography would be abnormal.
Mitigation priorities
- Harden credential exposure first: restrict administrative privileges, reduce interactive privileged logons, monitor or protect LSASS, and ensure rapid credential rotation procedures are available for IR.
- Constrain and monitor native administration utilities through least privilege, application control where appropriate, and alerting on abnormal use of cmd, Net, at, and schtasks.
- Improve network-share governance by limiting broad access, auditing sensitive repositories, and reviewing whether file servers retain usable access logs for investigations.
- Strengthen endpoint prevention and detection for downloader/backdoor execution, suspicious scheduled tasks, masqueraded binaries, and unexpected persistence mechanisms.
- Maintain threat intelligence watchlists for the listed aliases and related software names, while avoiding overreliance on names alone for detection decisions.
Analyst notes and limits
The most decision-useful aspects of this ATT&CK object come from its relationships: Windows credential dumping, native command use, scheduled task execution, downloaders/backdoors, discovery, collection, and stealth. This supports practical validation of SOC visibility and IR readiness without assuming the organization is being targeted. Alias handling matters because the group is also referenced as REDBALDKNIGHT and Tick.
MITRE provides no official detection text, no platforms on the group object itself, and no group-level tactics in the supplied fields. Platform and behavior guidance here is inferred only from the supplied related software and technique relationships. Local environment baselines, asset criticality, geography, sector exposure, and retained telemetry are required before drawing conclusions about risk or coverage.
BRONZE BUTLER
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | BRONZE BUTLER downloads encoded payloads and decodes them on the victim.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1005 | Data from Local System | BRONZE BUTLER has exfiltrated files stolen from local systems.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1007 | System Service Discovery | BRONZE BUTLER has used TROJ_GETVERSION to discover system services.CitationTrend Micro Tick November 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | The BRONZE BUTLER uploader or malware the uploader uses |
| Enterprise | T1059.006 | Python Sub-technique | BRONZE BUTLER has made use of Python-based remote access tools.CitationTrend Micro Tick November 2019 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims.CitationSymantec Tick Apr 2016CitationTrend Micro Tick November 2019 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1113 | Screen Capture | BRONZE BUTLER has used a tool to capture screenshots.CitationSecureworks BRONZE BUTLER Oct 2017CitationTrend Micro Tick November 2019 |
| Enterprise | T1036 | Masquerading | BRONZE BUTLER has masked executables with document file icons including Word and Adobe PDF.CitationTrend Micro Tick November 2019 |
| Enterprise | T1588.002 | Tool Sub-technique | BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor.CitationSymantec Tick Apr 2016 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | BRONZE BUTLER has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.CitationSecureworks BRONZE BUTLER Oct 2017CitationTrend Micro Tick November 2019 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | BRONZE BUTLER has used VBS and VBE scripts for execution.CitationSecureworks BRONZE BUTLER Oct 2017CitationTrend Micro Tick November 2019 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Several BRONZE BUTLER tools encode data with base64 when posting it to a C2 server.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1518 | Software Discovery | BRONZE BUTLER has used tools to enumerate software installed on an infected host.CitationTrend Micro Tick November 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BRONZE BUTLER malware has used HTTP for C2.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1039 | Data from Network Shared Drive | BRONZE BUTLER has exfiltrated files stolen from file shares.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1685 | Disable or Modify Tools | BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes.CitationTrend Micro Tick November 2019 |
| Enterprise | T1124 | System Time Discovery | BRONZE BUTLER has used |
| Enterprise | T1189 | Drive-by Compromise | BRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks.CitationSymantec Tick Apr 2016 |
| Enterprise | T1574.001 | DLL Sub-technique | BRONZE BUTLER has used legitimate applications to side-load malicious DLLs.CitationTrend Micro Tick November 2019 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1203 | Exploitation for Client Execution | BRONZE BUTLER has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution.CitationSymantec Tick Apr 2016CitationTrend Micro Tick November 2019 |
| Enterprise | T1018 | Remote System Discovery | BRONZE BUTLER typically use |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.CitationSecureworks BRONZE BUTLER Oct 2017CitationTrend Micro Tick November 2019 |
| Enterprise | T1053.002 | At Sub-technique | BRONZE BUTLER has used at to register a scheduled task to execute malware during lateral movement.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | BRONZE BUTLER's MSGET downloader uses a dead drop resolver to access malicious payloads.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | BRONZE BUTLER has used schtasks to register a scheduled task to execute malware during lateral movement.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1080 | Taint Shared Content | BRONZE BUTLER has placed malware on file shares and given it the same name as legitimate documents on the share.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1204.002 | Malicious File Sub-technique | BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.CitationSymantec Tick Apr 2016CitationTrend Micro Tick November 2019 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | BRONZE BUTLER downloader code has included "0" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.CitationSecureworks BRONZE BUTLER Oct 2017CitationTrend Micro Tick November 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1059.001 | PowerShell Sub-technique | BRONZE BUTLER has used PowerShell for execution.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | BRONZE BUTLER has used batch scripts and the command-line interface for execution.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1550.003 | Pass the Ticket Sub-technique | BRONZE BUTLER has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1027.003 | Steganography Sub-technique | BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads.CitationTrend Micro Tick November 2019 |
| Enterprise | T1087.002 | Domain Account Sub-technique | BRONZE BUTLER has used |
| Enterprise | T1083 | File and Directory Discovery | BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1036.002 | Right-to-Left Override Sub-technique | BRONZE BUTLER has used Right-to-Left Override to deceive victims into executing several strains of malware.CitationTrend Micro Tick November 2019 |
Groups, software, and campaigns
S0002: Mimikatz
S0471: build_downer
build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]
S0106: cmd
cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [1]
Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [2]), deleting files (e.g., del [3]), and copying files (e.g., copy [4]).
S0469: ABK
ABK is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]
S0110: at
S0470: BBK
BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]
S0111: schtasks
S0472: down_new
down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]
S0187: Daserf
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0596: ShadowPad
S0005: Windows Credential Editor
Windows Credential Editor is a password dumping tool. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 05416eb8afb6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Daserf Nov 2017
Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
Open source URL -
[2]
Secureworks BRONZE BUTLER Oct 2017
Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
Open source URL -
[3]
Trend Micro Tick November 2019
Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
Open source URL -
[4]
BRONZE BUTLER
(Citation: Trend Micro Daserf Nov 2017)(Citation: Trend Micro Tick November 2019)
-
[5]
REDBALDKNIGHT
(Citation: Trend Micro Daserf Nov 2017)(Citation: Trend Micro Tick November 2019)
-
[6]
Symantec Tick Apr 2016
DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
Open source URL -
[7]
Tick
(Citation: Trend Micro Daserf Nov 2017)(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)
-
[8]
mitre-attack G0060Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.