S0360: BONDUPDATER

BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[1][2]

EnterpriseS0360MalwareObject v1.2 Modified Apr 25, 2025, 14:44 UTC (UTC+00:00)

BONDUPDATER is a Windows PowerShell backdoor associated by ATT&CK with OilRig. Its practical significance is that it relies on behaviors many environments allow every day: PowerShell, command shell activity, scheduled tasks, DNS-based command and control, domain generation, hidden windows, and tool transfer. That makes it a useful test case for whether defenses can distinguish legitimate administration from backdoor persistence and command-and-control activity.

Executive priority

Treat this as a coverage validation issue for Windows endpoint, DNS, and incident response readiness. Leaders should ask whether the organization can prove visibility into PowerShell execution, scheduled task creation, suspicious DNS patterns, and external file/tool transfer. Because the related OilRig profile includes government, financial, energy, chemical, telecommunications, and supply-chain targeting, organizations in or connected to those sectors may prioritize this behavior in threat-informed defense planning.

Technical view

SOC and detection teams should map controls to the related ATT&CK techniques: T1059.001 PowerShell, T1059.003 Windows Command Shell, T1053.005 Scheduled Task, T1071.004 DNS, T1568.002 Domain Generation Algorithms, T1105 Ingress Tool Transfer, and T1564.003 Hidden Window. Since ATT&CK provides no official detection text for BONDUPDATER, validation should focus on whether existing Windows endpoint telemetry and DNS/network telemetry can reconstruct execution, persistence, and command-and-control behavior without relying only on known indicators.

Likely telemetry

Windows process creation telemetry for powershell.exe, cmd.exe, and task scheduling utilities or task scheduler activity
PowerShell script block, module, transcription, or equivalent command-line logging where enabled
Windows scheduled task creation, modification, and execution events
Endpoint detection records showing parent-child process relationships and hidden or non-interactive execution patterns
DNS query logs, resolver telemetry, and security analytics for unusual or algorithmic-looking domain activity

Detection direction

Validate behavior-based detections for PowerShell and command shell use that consider parent process, user context, command-line content, frequency, and whether execution is interactive or automated.
Tune scheduled task detections to separate approved administrative automation from unusual persistence, especially tasks created by unexpected users, scripts, or command interpreters.
Assess DNS monitoring for high-volume, low-reputation, newly observed, or algorithmic-looking domains, while accounting for false positives from legitimate CDNs, security tools, and software update services.
Correlate endpoint execution with DNS and ingress tool transfer evidence; single signals may look administrative, but combined PowerShell, scheduled task, DNS, and download activity is higher value.
Review blind spots where PowerShell logging is disabled, command lines are truncated, DNS is not centrally logged, endpoints use direct external resolvers, or EDR coverage is inconsistent.

Mitigation priorities

Prioritize visibility first: ensure Windows endpoint logging, PowerShell logging, scheduled task auditing, and DNS logging are enabled and retained for investigation.
Restrict and monitor administrative scripting where feasible, including least-privilege access, approved automation paths, and review of users or systems allowed to create scheduled tasks.
Apply network controls that force DNS through monitored resolvers and support investigation of suspicious domain patterns and external file transfers.
Use application control or execution policy approaches where appropriate to reduce unauthorized script and command interpreter abuse, while testing for operational impact.
Maintain incident response playbooks for suspected PowerShell backdoors that include endpoint triage, scheduled task review, DNS/C2 scoping, and transferred-tool containment.

Analyst notes and limits

ATT&CK identifies BONDUPDATER as a PowerShell backdoor used by OilRig and first observed in reporting from 2017, with an updated version reported in 2018. The strongest defensive value is not a malware-specific signature but a control assessment across the related behaviors: Windows scripting, task-based persistence, DNS/DGA command and control, hidden execution, and ingress tool transfer.

The supplied ATT&CK object does not provide official detection guidance, aliases, malware-specific tactics, or indicators. Several conclusions must therefore remain behavior-level and require local environment evidence, approved administration baselines, and telemetry quality checks before assessing exposure or detection coverage.

Official MITRE ATT&CK definition

BONDUPDATER

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 7 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1059.003	Windows Command Shell Sub-technique	BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.CitationPalo Alto OilRig Sep 2018
Enterprise	T1564.003	Hidden Window Sub-technique	BONDUPDATER uses `-windowstyle hidden` to conceal a PowerShell window that downloads a payload.CitationFireEye APT34 Dec 2017
Enterprise	T1071.004	DNS Sub-technique	BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.CitationPalo Alto OilRig Sep 2018
Enterprise	T1053.005	Scheduled Task Sub-technique	BONDUPDATER persists using a scheduled task that executes every minute.CitationPalo Alto OilRig Sep 2018
Enterprise	T1568.002	Domain Generation Algorithms Sub-technique	BONDUPDATER uses a DGA to communicate with command and control servers.CitationFireEye APT34 Dec 2017
Enterprise	T1105	Ingress Tool Transfer	BONDUPDATER can download or upload files from its C2 server.CitationPalo Alto OilRig Sep 2018
Enterprise	T1059.001	PowerShell Sub-technique	BONDUPDATER is written in PowerShell.CitationFireEye APT34 Dec 2017CitationPalo Alto OilRig Sep 2018

Associated objects

Groups, software, and campaigns

G0049: OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]

Relationship explorer

All related ATT&CK context

uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1564.003: Hidden Window Enterprise uses · Technique T1071.004: DNS Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1568.002: Domain Generation Algorithms Enterprise uses · Group G0049: OilRig Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1059.001: PowerShell Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: Feb 18, 2019, 20:16 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:44 UTC (UTC+00:00)
Raw hash: af756ca5d12225fe...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.2	Apr 25, 2025, 14:44 UTC (UTC+00:00)	Current bundle	`af756ca5d122…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
FireEye APT34 Dec 2017

Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
Open source URL
[2]
Palo Alto OilRig Sep 2018

Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
Open source URL
[3]
mitre-attack S0360
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use