S0187: Daserf
Analyst context for executives and security teams
Daserf is a Windows backdoor associated in ATT&CK with espionage-focused activity and capabilities for credential theft, collection, command execution, tool transfer, and stealthy command-and-control. For leaders, the practical issue is not just the malware name; it is whether the organization can prove it would notice a Windows host behaving like a long-running remote access implant that hides traffic, captures user activity, and prepares data for theft.
Executive priority
Prioritize Daserf as a validation case for endpoint visibility, identity protection, and incident response readiness on Windows systems. The ATT&CK relationships tie it to LSASS memory access, keylogging, screen capture, archiving collected data, web-based C2, steganography, encoding, and symmetric cryptography. Executives should ask whether SOC evidence can connect these behaviors into an intrusion story, whether privileged credential exposure would be contained quickly, and whether audit/compliance evidence exists for monitoring sensitive Windows endpoints and outbound network activity.
Technical view
ATT&CK does not provide a Daserf-specific detection section, so defenders should validate behavior-based coverage from the related techniques rather than rely on a malware signature. On Windows, focus on unusual LSASS access, suspicious command shell execution, unexpected packed or obfuscated binaries, binaries placed or named to resemble legitimate resources, signed-but-untrusted or unusual executables, keylogging or screen capture indicators, archive creation around sensitive data, ingress tool transfer, and outbound web traffic that may be encoded, encrypted, or steganographic. Relationship context also links Daserf to BRONZE BUTLER, but local detection should be based on observed behaviors and telemetry, not attribution assumptions.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Endpoint file creation, modification, and execution metadata
- Memory access events involving LSASS where available
- Code-signing and certificate metadata for executed binaries
- EDR or host telemetry for keylogging, screen capture, and suspicious API use where available
Detection direction
- Map current detections to the related ATT&CK techniques, especially T1003.001, T1056.001, T1059.003, T1071.001, T1105, T1113, T1132.001, T1560/T1560.001, T1573.001, and T1001.002.
- Tune detections to correlate multiple weak signals: suspicious Windows command shell use, LSASS access, new archive creation, screen capture/keylogging indicators, and unusual outbound web sessions are more meaningful together than alone.
- Validate blind spots around encrypted or encoded web traffic, because the related C2 techniques may reduce the value of simple content inspection.
- Review allowlisting and trust decisions for signed executables; code signing alone should not be treated as proof of legitimacy.
- Account for false positives from administrative tools, backup/compression utilities, remote support software, and legitimate web applications by baselining expected hosts, users, paths, and destinations.
Mitigation priorities
- Harden Windows credential exposure first: restrict administrative privileges, monitor and reduce unnecessary LSASS access, and prepare rapid credential reset procedures for suspected compromise.
- Improve endpoint control quality: application control, least privilege, and scrutiny of unusual signed, packed, or obfuscated executables can reduce reliance on static malware naming.
- Strengthen egress monitoring and filtering for unusual web-based outbound communications, including destinations, timing, volume, and encoded or encrypted patterns inconsistent with business use.
- Ensure SOC and IR playbooks cover backdoor behaviors: credential access, collection, archive staging, tool transfer, and C2 containment.
- Use the Daserf technique relationships as a control-validation checklist for managed detection, incident response exercises, and compliance evidence on sensitive Windows assets.
Analyst notes and limits
The strongest decision value comes from the relationship set: Daserf is modeled as a Windows backdoor with behaviors spanning credential access, collection, execution, defense evasion, and command-and-control. The related group context names BRONZE BUTLER and describes historical targeting, but this take does not infer current targeting or active exploitation.
The official ATT&CK object does not specify Daserf tactics, aliases, labels, or a detection section. External references are limited to the supplied Trend Micro and Secureworks reporting metadata. Environment-specific conclusions require local endpoint, identity, and network evidence.
Daserf
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Daserf can execute shell commands.CitationTrend Micro Daserf Nov 2017CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Some Daserf samples were signed with a stolen digital certificate.CitationSymantec Tick Apr 2016 |
| Enterprise | T1105 | Ingress Tool Transfer | Daserf can download remote files.CitationTrend Micro Daserf Nov 2017CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1027.002 | Software Packing Sub-technique | A version of Daserf uses the MPRESS packer.CitationTrend Micro Daserf Nov 2017 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Daserf uses custom base64 encoding to obfuscate HTTP traffic.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Daserf hides collected data in password-protected .rar archives.CitationSymantec Tick Apr 2016 |
| Enterprise | T1113 | Screen Capture | Daserf can take screenshots.CitationTrend Micro Daserf Nov 2017CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1027 | Obfuscated Files or Information | Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.CitationTrend Micro Daserf Nov 2017 |
| Enterprise | T1001.002 | Steganography Sub-technique | Daserf can use steganography to hide malicious code downloaded to the victim.CitationTrend Micro Daserf Nov 2017 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Daserf uses RC4 encryption to obfuscate HTTP traffic.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.CitationSymantec Tick Apr 2016 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Daserf can log keystrokes.CitationTrend Micro Daserf Nov 2017CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Daserf uses HTTP for C2.CitationSecureworks BRONZE BUTLER Oct 2017 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.CitationSymantec Tick Apr 2016 |
| Enterprise | T1560 | Archive Collected Data | Daserf hides collected data in password-protected .rar archives.CitationSymantec Tick Apr 2016 |
| Enterprise | T1027.005 | Indicator Removal from Tools Sub-technique | Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.CitationTrend Micro Daserf Nov 2017 |
Groups, software, and campaigns
G0060: BRONZE BUTLER
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 0298ca1bc71d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Daserf Nov 2017
Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
Open source URL -
[2]
Secureworks BRONZE BUTLER Oct 2017
Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
Open source URL -
[3]
Daserf
(Citation: Trend Micro Daserf Nov 2017)
-
[4]
Muirim
(Citation: Trend Micro Daserf Nov 2017)
-
[5]
Nioupale
(Citation: Trend Micro Daserf Nov 2017)
-
[6]
mitre-attack S0187Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.