S0239: Bankshot
Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. [1]
Analyst context for executives and security teams
Bankshot is a Windows remote access tool with ATT&CK-documented behaviors across execution, discovery, collection, command-and-control, exfiltration, and anti-forensics. For leaders, its value is as a coverage test: can the organization see a Windows host exploited through a client application, communicating over web-like traffic, collecting local files, exfiltrating over the same channel, and then deleting or altering artifacts?
Executive priority
Prioritize Bankshot as a defensive validation scenario for Windows endpoint visibility, egress monitoring, legacy client-application risk, and incident response evidence preservation. The official description notes historical use against the Turkish financial sector and a zero-day Adobe Flash execution path, so leaders should confirm whether vulnerable or obsolete client software has been removed and whether SOC/IR teams can prove coverage for data collection and C2-based exfiltration.
Technical view
ATT&CK maps Bankshot to Windows behaviors including command execution through cmd, process creation through Windows APIs, token-based process creation, Registry querying/modification, system/process/file/account/storage discovery, local and automated file collection, file upload/download, HTTP C2, non-standard encoded C2 commands, false TLS-handshake impersonation, exfiltration over C2, timestomping, and file/artifact deletion. Detection engineering should validate chained behavior rather than single indicators: suspicious client-app execution followed by new processes, discovery commands or API-driven enumeration, Registry activity around HKLM\SOFTWARE\Microsoft\Pniumj, recursive file listing or file access bursts, outbound HTTP-like traffic with unusual encoding or TLS impersonation, and subsequent deletion or timestamp manipulation.
Likely telemetry
- Windows endpoint process creation and parent/child process lineage
- Command-line telemetry for cmd and discovery utilities
- Windows API/EDR events for process creation and token-based process creation
- Registry query and write events, especially HKLM\SOFTWARE\Microsoft\Pniumj
- File system enumeration, file read/access, upload/download, deletion, and pending-delete-on-reboot evidence
Detection direction
- Build detections around behavior sequences: execution or process creation followed by host discovery, file discovery/collection, outbound web traffic, and cleanup activity.
- Validate visibility for HTTP command-and-control that blends with normal web traffic, including encoded or gzip-like command content and traffic that appears to impersonate TLS behavior.
- Monitor Registry access and modification tied to the documented Bankshot key, while avoiding overreliance on a single registry indicator.
- Tune for recursive file listing and local file collection followed by outbound transfer over the same network channel.
- Review detections for timestomping and file deletion; these are often forensic signals rather than high-fidelity real-time alerts by themselves.
Mitigation priorities
- Remove or tightly control obsolete/vulnerable client software, especially where legacy Flash exposure may still exist.
- Enforce timely vulnerability management for user-facing applications that can enable client-side execution.
- Apply least privilege and restrict administrative rights needed for sensitive Registry modification, token abuse, and broader system manipulation.
- Use egress controls, proxy policy, and network monitoring to limit and inspect unexpected outbound HTTP/TLS-like traffic from endpoints.
- Ensure endpoint controls collect process, registry, file, and network context needed to reconstruct discovery, collection, exfiltration, and cleanup.
Analyst notes and limits
Bankshot should be used as a multi-technique validation case for Windows RAT coverage rather than as a single-signature malware test. The supplied ATT&CK relationships emphasize C2 over HTTP, data collection/exfiltration, discovery, Registry activity, API-based execution, token-based process creation, and anti-forensic cleanup.
Official ATT&CK detection text is not provided for this malware object. This take is limited to the supplied STIX fields and relationships; local software inventory, endpoint logging depth, network architecture, and IR evidence sources are required to determine actual exposure or coverage.
Bankshot
Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | Bankshot uses HTTP for command and control communication.CitationMcAfee Bankshot |
| Enterprise | T1005 | Data from Local System | Bankshot collects files from the local system.CitationMcAfee Bankshot |
| Enterprise | T1070.004 | File Deletion Sub-technique | Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.CitationMcAfee Bankshot |
| Enterprise | T1083 | File and Directory Discovery | Bankshot searches for files on the victim's machine.CitationUS-CERT Bankshot Dec 2017 |
| Enterprise | T1070.006 | Timestomp Sub-technique | Bankshot modifies the time of a file as specified by the control server.CitationMcAfee Bankshot |
| Enterprise | T1203 | Exploitation for Client Execution | Bankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines.CitationMcAfee Bankshot |
| Enterprise | T1057 | Process Discovery | Bankshot identifies processes and collects the process ids.CitationMcAfee Bankshot |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Bankshot decodes embedded XOR strings.CitationUS-CERT Bankshot Dec 2017 |
| Enterprise | T1082 | System Information Discovery | Bankshot gathers system information, network addresses, and the operation system version.CitationMcAfee BankshotCitationUS-CERT Bankshot Dec 2017 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Bankshot can terminate a specific process by its process id.CitationMcAfee BankshotCitationUS-CERT Bankshot Dec 2017 |
| Enterprise | T1106 | Native API | Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().CitationMcAfee Bankshot |
| Enterprise | T1012 | Query Registry | Bankshot searches for certain Registry keys to be configured before executing the payload.CitationUS-CERT Bankshot Dec 2017 |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | Bankshot encodes commands from the control server using a range of characters and gzip.CitationMcAfee Bankshot |
| Enterprise | T1119 | Automated Collection | Bankshot recursively generates a list of files within a directory and sends them back to the control server.CitationMcAfee Bankshot |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.CitationMAR10135536-B |
| Enterprise | T1105 | Ingress Tool Transfer | Bankshot uploads files and secondary payloads to the victim's machine.CitationUS-CERT Bankshot Dec 2017 |
| Enterprise | T1087.001 | Local Account Sub-technique | Bankshot gathers domain and account names/information through process monitoring.CitationMcAfee Bankshot |
| Enterprise | T1087.002 | Domain Account Sub-technique | Bankshot gathers domain and account names/information through process monitoring.CitationMcAfee Bankshot |
| Enterprise | T1112 | Modify Registry | Bankshot writes data into the Registry key |
| Enterprise | T1134.002 | Create Process with Token Sub-technique | Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.CitationMcAfee Bankshot |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Bankshot uses the command-line interface to execute arbitrary commands.CitationMcAfee BankshotCitationUS-CERT Bankshot Dec 2017 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Bankshot exfiltrates data over its C2 channel.CitationMcAfee Bankshot |
| Enterprise | T1680 | Local Storage Discovery | Bankshot gathers disk type and disk free space.CitationMcAfee BankshotCitationUS-CERT Bankshot Dec 2017 |
| Enterprise | T1070 | Indicator Removal | Bankshot deletes all artifacts associated with the malware from the infected machine.CitationUS-CERT Bankshot Dec 2017 |
| Enterprise | T1571 | Non-Standard Port | Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.CitationUS-CERT Bankshot Dec 2017 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | cf6ce94f89db… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
McAfee Bankshot
Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
Open source URL -
[2]
Bankshot
(Citation: McAfee Bankshot)
-
[3]
Trojan Manuscript
(Citation: McAfee Bankshot)
-
[4]
mitre-attack S0239Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.