Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0337: BadPatch

BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.[1]

EnterpriseS0337MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

BadPatch matters because it represents a Windows Trojan with behaviors that span credential capture, local data collection, discovery, persistence, and command-and-control over common web and mail protocols. For leaders, the practical issue is not just the malware name; it is whether Windows endpoint, network, and identity monitoring can prove what was collected, how long access persisted, and whether credentials may have been exposed.

Executive priority

Prioritize BadPatch-style coverage where Windows endpoints handle sensitive files, privileged access, or regulated data. The ATT&CK relationships point to behaviors that can affect incident scope decisions: keylogging may require credential reset planning, local data staging and screen capture may influence data exposure analysis, and Registry Run Key persistence affects containment confidence. Executives should ask whether SOC and IR teams can produce evidence for these behaviors without relying on malware signatures alone.

Technical view

Validate detections around the related techniques: Data from Local System, Keylogging, Web Protocols, Mail Protocols, Local Data Staging, System Information Discovery, File and Directory Discovery, Ingress Tool Transfer, Screen Capture, System Checks, Security Software Discovery, and Registry Run Keys / Startup Folder. Because the malware object is Windows and official detection text is not provided, defenders should focus on behavior-based Windows telemetry: suspicious autorun changes, unusual file discovery and staging, screen or input capture indicators, security tool enumeration, system profiling, externally initiated tool transfer, and command-and-control patterns over HTTP/S or mail protocols.

Likely telemetry

  • Windows process creation and command-line telemetry
  • Windows Registry monitoring for Run keys and startup folder changes
  • File system access, enumeration, creation, and staging-location activity
  • Endpoint telemetry for screen capture or input capture behavior
  • Host discovery activity, including system information and security software enumeration

Detection direction

  • Do not depend on a BadPatch signature alone; ATT&CK provides no official detection guidance for this object.
  • Correlate Registry Run Key or startup folder changes with newly observed binaries, unusual parent processes, and subsequent network communications.
  • Tune discovery detections to distinguish normal administration from clustered system information, file/directory, and security software enumeration on user workstations.
  • Look for collection chains: file discovery followed by local staging, screen capture, keylogging indicators, and outbound web or mail traffic.
  • Review egress visibility for common web and mail protocols because command-and-control may blend with normal traffic.

Mitigation priorities

  • Harden and monitor Windows persistence locations, especially Registry Run keys and startup folders.
  • Limit unnecessary outbound web and mail protocol paths from endpoints and ensure logging is retained for investigation.
  • Apply least-privilege practices so user-context persistence and collection have reduced reach.
  • Use application control or execution governance where feasible to reduce unauthorized tool transfer and execution.
  • Protect credentials through phishing-resistant authentication where possible and have reset procedures ready if keylogging is suspected.
Analyst notes and limits

The supplied ATT&CK object identifies BadPatch as a Windows Trojan used in a Gaza Hackers-linked campaign and provides behavioral relationships to multiple ATT&CK techniques. The highest-value defensive use is mapping those relationships into validation tests for endpoint, network, and identity evidence. The object does not provide aliases, labels, tactics, or official detection text, so local telemetry and environment baselines are required.

This take is limited to the supplied STIX fields, external references, and relationships. It does not assert current activity, customer exposure, specific indicators, malware capabilities beyond the listed ATT&CK relationships, or guaranteed detection coverage. Some related technique platform lists are broader than the BadPatch malware platform; operational validation should focus on Windows for this object unless local intelligence supports more.

Official MITRE ATT&CK definition

BadPatch

BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

12 rows
Domain ID Name Relationship / procedure
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

BadPatch establishes a foothold by adding a link to the malware executable in the startup folder.CitationUnit 42 BadPatch Oct 2017
Enterprise T1071.003 Mail Protocols Sub-technique

BadPatch uses SMTP for C2.CitationUnit 42 BadPatch Oct 2017
Enterprise T1074.001 Local Data Staging Sub-technique

BadPatch stores collected data in log files before exfiltration.CitationUnit 42 BadPatch Oct 2017
Enterprise T1071.001 Web Protocols Sub-technique

BadPatch uses HTTP for C2.CitationUnit 42 BadPatch Oct 2017
Enterprise T1082 System Information Discovery

BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine.CitationUnit 42 BadPatch Oct 2017
Enterprise T1113 Screen Capture

BadPatch captures screenshots in .jpg format and then exfiltrates them.CitationUnit 42 BadPatch Oct 2017
Enterprise T1083 File and Directory Discovery

BadPatch searches for files with specific file extensions.CitationUnit 42 BadPatch Oct 2017
Enterprise T1497.001 System Checks Sub-technique

BadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information. CitationUnit 42 BadPatch Oct 2017
Enterprise T1056.001 Keylogging Sub-technique

BadPatch has a keylogging capability.CitationUnit 42 BadPatch Oct 2017
Enterprise T1105 Ingress Tool Transfer

BadPatch can download and execute or update malware.CitationUnit 42 BadPatch Oct 2017
Enterprise T1518.001 Security Software Discovery Sub-technique

BadPatch uses WMI to enumerate installed security products in the victim’s environment.CitationUnit 42 BadPatch Oct 2017
Enterprise T1005 Data from Local System

BadPatch collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx.CitationUnit 42 BadPatch Oct 2017
Relationship explorer

All related ATT&CK context

uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1071.003: Mail Protocols Enterprise uses · Technique T1074.001: Local Data Staging Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1497.001: System Checks Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1518.001: Security Software Discovery Enterprise uses · Technique T1005: Data from Local System Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
d68449152efa0d46...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle d68449152efa…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Unit 42 BadPatch Oct 2017

    Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.

    Open source URL
  2. [2]
    BadPatch

    (Citation: Unit 42 BadPatch Oct 2017)

  3. [3]
    mitre-attack S0337
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use