S0014: BS2005
Analyst context for executives and security teams
BS2005 matters as a Windows malware entry tied in ATT&CK to Ke3chang spearphishing activity and to encoded command-and-control behavior. For leaders, the practical issue is not a detailed malware playbook—ATT&CK provides little detection detail here—but whether email-led intrusion scenarios, Windows endpoint visibility, and C2 traffic review can produce defensible evidence during an investigation.
Executive priority
Treat BS2005 as a prompt to validate readiness for targeted phishing-driven malware incidents: executive questions should focus on whether the organization can preserve endpoint, email, proxy/DNS, and network evidence; distinguish encoded C2-like traffic from normal business use; and show auditors or risk owners that incident response and monitoring processes cover legacy and named ATT&CK software where relevant to the environment.
Technical view
ATT&CK lists BS2005 as Windows malware used by Ke3chang in spearphishing campaigns since at least 2011. No official ATT&CK detection guidance is provided. The supplied relationship says BS2005 uses T1132.001, Standard Encoding, under command-and-control. SOC and IR teams should therefore validate visibility around Windows execution artifacts, phishing delivery evidence, and outbound communications where standard encodings such as Base64, hexadecimal, MIME, Unicode, or similar protocol-compliant encodings may appear in C2-related content. Detection should be behavior-led rather than name-led because the object provides no aliases, labels, or specific indicators.
Likely telemetry
- Windows endpoint process, file, persistence, and security event telemetry
- Email security and message metadata for spearphishing investigation context
- Proxy, web gateway, firewall, DNS, and network flow logs for outbound C2 review
- Packet capture or HTTP/S metadata where available for encoded payload or parameter analysis
- EDR investigation data tying user interaction, process lineage, and outbound network connections together
Detection direction
- Do not rely on a BS2005 signature alone; ATT&CK supplies no official detection text or indicators for this object.
- Map analytics to the related behavior T1132.001 by looking for suspicious use of standard encodings in outbound communications, while accounting for high false-positive rates because standard encodings are common in normal web, email, and application traffic.
- Correlate encoded network content with Windows host context, especially unusual process lineage, unexpected destinations, or activity following suspicious email delivery.
- Validate that SOC playbooks can pivot from a malware name to related ATT&CK behavior, affected platform, and campaign context without assuming current activity or attribution beyond the supplied ATT&CK description.
- Review blind spots where TLS inspection limits, short log retention, unmanaged endpoints, or missing email-to-endpoint correlation would prevent investigation.
Mitigation priorities
- Prioritize phishing resilience and response readiness: user reporting, email filtering, attachment/link controls, and rapid triage workflows.
- Maintain Windows endpoint hardening and EDR coverage sufficient to reconstruct process execution and network connections during incident response.
- Control and monitor outbound network paths so unusual command-and-control patterns can be investigated, even when content uses standard encodings.
- Ensure log retention and incident evidence handling support campaign-level investigations involving email, endpoint, and network data.
- Use ATT&CK mapping to document coverage for compliance and risk discussions, but avoid claiming coverage for BS2005 specifically unless tested with local telemetry and approved detection logic.
Analyst notes and limits
The most useful defender action is to operationalize the relationship to T1132.001 rather than over-index on the malware name. Standard encoding is not inherently malicious, so detections need correlation with suspicious Windows execution and delivery context. The Ke3chang and spearphishing references provide historical context, not evidence of current activity in any environment.
This take is limited to the supplied ATT&CK fields, external references, and relationship context. ATT&CK provides no official detection text, no aliases, no labels, no specific tactics on the malware object, and only Windows as the supported platform for BS2005. Local environment data is required to assess exposure, detection coverage, or incident relevance.
BS2005
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1132.001 | Standard Encoding Sub-technique | BS2005 uses Base64 encoding for communication in the message body of an HTTP request.CitationMandiant Operation Ke3chang November 2014 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | a7e9024e3f38… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Operation Ke3chang November 2014
Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
Open source URL -
[2]
mitre-attack S0014Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.