S0234: Bandook
Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as "Operation Manul".[1][2][3]
Analyst context for executives and security teams
Bandook is a long-running, commercially available Windows remote access trojan. Its ATT&CK relationships show why it matters beyond “malware found on a host”: it can support command execution, discovery, credential collection through keylogging, screen/audio/video capture, tool transfer, C2 communications, exfiltration, process hollowing, file deletion, obfuscation, and code signing abuse. For leaders, the practical risk is loss of confidentiality and investigative visibility on Windows endpoints, especially in environments where user workstations handle sensitive data or privileged access.
Executive priority
Treat Bandook coverage as a test of Windows endpoint resilience, SOC visibility, and incident response readiness for commodity-but-capable remote access tooling. Priority questions: can the organization see suspicious command execution, PowerShell/cmd activity, process injection behavior, file transfer, unusual C2/exfiltration, and capture of credentials or sensitive user activity? Because MITRE notes use against government, financial, energy, healthcare, education, IT, and legal organizations, affected sectors should ensure detection and response evidence is strong enough for audit, regulatory, and executive incident decision-making.
Technical view
ATT&CK provides no official detection text for Bandook, so defenders should validate coverage from the related behaviors rather than rely on a malware-name alert. Focus on Windows telemetry for execution via command and scripting interpreters, PowerShell, Windows command shell, Visual Basic, Python, and Native API activity; process hollowing indicators; keylogging and screen/audio/video capture behaviors; local file and directory discovery; system network configuration discovery; tool ingress; file deletion; deobfuscation; code signing trust anomalies; non-application-layer or otherwise unusual C2; and exfiltration over the C2 channel. The object platform is Windows, even though some related techniques list broader platforms, so do not infer non-Windows Bandook exposure from this object alone.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell script block, module, and operational logs where enabled
- Windows command shell activity and parent-child process relationships
- Endpoint detection telemetry for process hollowing, memory manipulation, and Native API abuse
- File creation, modification, deletion, and tool-transfer events
Detection direction
- Build detection around the ATT&CK technique chain, not only Bandook names or hashes, because the object is a commercially available RAT and MITRE supplies no official detection logic.
- Correlate suspicious user-opened files with follow-on interpreter execution, tool transfer, discovery, capture activity, and outbound communications.
- Tune PowerShell, cmd, Visual Basic, Python, and Native API detections for abnormal parent processes, unusual command lines, and execution from user-writable paths; account for legitimate administration to reduce false positives.
- Validate endpoint visibility for process hollowing and file deletion, as these behaviors can reduce the value of simple process and file-based detections.
- Review signed executable handling carefully: code signing can create misplaced trust, so signed status should not be treated as benign by itself.
Mitigation priorities
- Prioritize Windows endpoint hardening and EDR coverage for user workstations and systems that handle sensitive data or privileged sessions.
- Restrict and monitor script/interpreter use where business processes allow, especially PowerShell and Windows command shell execution from documents, downloads, temporary folders, or other user-controlled locations.
- Strengthen user-execution controls for malicious files through attachment handling, application control, and least privilege, while maintaining user-awareness evidence for compliance programs.
- Do not rely solely on code-signing trust; enforce application control and certificate validation policies appropriate to risk.
- Limit outbound network paths and monitor unusual protocols or destinations to reduce C2 and exfiltration opportunity.
Analyst notes and limits
The most decision-useful context is the breadth of Bandook’s related behaviors: execution, discovery, collection, credential access, stealth, command and control, exfiltration, and defense-impairment via code signing. Dark Caracal is listed by ATT&CK as a group that uses Bandook, and the description also references Operation Manul; this should inform threat-intelligence context but should not be treated as attribution for any local incident without environment-specific evidence.
MITRE provides no official detection guidance for this object, no object-level tactics, no aliases, and only Windows as the supported platform for Bandook. Several related techniques have broader ATT&CK platform lists; those should guide general control validation but should not be used to claim Bandook operates on those platforms from this object alone. Local telemetry, malware analysis, and incident evidence are required to confirm exposure, infection, attribution, or data loss.
Bandook
Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as "Operation Manul".[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1123 | Audio Capture | Bandook has modules that are capable of capturing audio.CitationEFF Manul Aug 2016 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Bandook can upload files from a victim's machine over the C2 channel.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Bandook is capable of spawning a Windows command shell.CitationEFF Manul Aug 2016CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Bandook contains keylogging capabilities.CitationBH Manul Aug 2016 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer | Bandook can download files to the system.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1120 | Peripheral Device Discovery | Bandook can detect USB devices.CitationEFF Manul Aug 2016 |
| Enterprise | T1027.003 | Steganography Sub-technique | Bandook has used .PNG images within a zip file to build the executable. CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1083 | File and Directory Discovery | Bandook has a command to list files on a system.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1095 | Non-Application Layer Protocol | Bandook has a command built in to use a raw TCP socket.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Bandook is delivered via a malicious Word document inside a zip file.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1059 | Command and Scripting Interpreter | Bandook can support commands to execute Java-based payloads.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1113 | Screen Capture | Bandook is capable of taking an image of and uploading the current desktop.CitationLookout Dark Caracal Jan 2018CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | Bandook has a command to get the public IP address from a system.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Bandook has used PowerShell loaders as part of execution.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1680 | Local Storage Discovery | Bandook can collect information about the drives available on the system.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Bandook has used lure documents to convince the user to enable macros.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1106 | Native API | Bandook has used the ShellExecuteW() function call.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Bandook has used malicious VBA code against the target system.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1125 | Video Capture | Bandook has modules that are capable of capturing video from a victim's webcam.CitationEFF Manul Aug 2016 |
| Enterprise | T1059.006 | Python Sub-technique | Bandook can support commands to execute Python-based payloads.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Bandook has a command to delete a file.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Bandook has used AES encryption for C2 communication.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Bandook has decoded its PowerShell script.CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1005 | Data from Local System | Bandook can collect local files from the system .CitationCheckPoint Bandook Nov 2020 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Bandook was signed with valid Certum certificates.CitationCheckPoint Bandook Nov 2020 |
Groups, software, and campaigns
G0070: Dark Caracal
Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 5f56acbf5e74… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
EFF Manul Aug 2016
Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
Open source URL -
[2]
Lookout Dark Caracal Jan 2018
Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
Open source URL -
[3]
CheckPoint Bandook Nov 2020
Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
Open source URL -
[4]
mitre-attack S0234Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.