S0396: EvilBunny
Analyst context for executives and security teams
EvilBunny matters because it represents a Windows malware sample built as an execution platform for Lua scripts, not just a single-purpose payload. For leaders, the practical concern is whether Windows monitoring can connect script-driven execution, persistence, discovery, cleanup, and web-based command-and-control behaviors into one incident story rather than treating them as isolated alerts.
Executive priority
Prioritize validation of Windows endpoint, process, registry, scheduled task, WMI, and web traffic visibility. The ATT&CK relationships show behaviors relevant to resilience and incident readiness: execution through WMI, command shell, Lua, and native APIs; persistence through scheduled tasks and Run keys; discovery of processes, system time, and security software; file deletion; ingress tool transfer; and web-protocol command and control. Because MITRE provides no official detection text for this malware, assurance should come from control testing and evidence review, not assumptions about existing tool coverage.
Technical view
SOC and IR teams should validate coverage around the related techniques for Windows: WMI execution, scheduled task creation or modification, command-shell activity, Lua/script execution where present, native API-driven execution indicators, Registry Run key and Startup Folder changes, process and security software discovery, system and time checks, file deletion, inbound tool/file transfer, and outbound HTTP/S-like command-and-control patterns. Detection should focus on behavior correlation across host and network telemetry, especially when persistence, discovery, and cleanup occur near unusual script or command execution.
Likely telemetry
- Windows process creation and command-line telemetry
- WMI activity and related process lineage
- Scheduled Task creation, modification, and execution records
- Windows Registry monitoring for Run keys and Startup Folder persistence
- File creation, transfer, and deletion events
Detection direction
- Test whether alerts correlate WMI, cmd.exe, scheduled tasks, Registry persistence, and suspicious outbound web traffic on the same host or user context.
- Tune for administrative false positives: WMI, Task Scheduler, command shell, and Registry Run keys are legitimate Windows administration mechanisms.
- Review blind spots where Lua is embedded inside another program rather than executed by a standalone interpreter.
- Validate retention and searchability of host telemetry needed to investigate file deletion and tool transfer after the fact.
- Use the anti-analysis relationships as triage context: system checks, time-based checks, and security software discovery may indicate malware attempting to understand or evade its environment.
Mitigation priorities
- Maintain strong Windows endpoint monitoring for process, WMI, scheduled task, registry, and file activity.
- Restrict and monitor administrative use of WMI, command shell, scheduled tasks, and startup persistence locations according to least privilege.
- Harden client applications and prioritize vulnerability management for client-side code execution exposure, consistent with the related exploitation technique.
- Control and inspect outbound web traffic where feasible, with logging sufficient for incident reconstruction.
- Ensure incident response playbooks include collection of volatile process context, persistence artifacts, deleted-file evidence, and network history.
Analyst notes and limits
The supplied ATT&CK object identifies EvilBunny as a C++ Windows malware sample observed since 2011 and designed as an execution platform for Lua scripts. The most useful defensive value comes from the linked behaviors rather than from a provided malware-specific detection. Treat this as a coverage-mapping object for Windows execution, persistence, discovery, stealth, and command-and-control behaviors.
MITRE provides no official detection guidance, no aliases, no specified tactics on the malware object itself, and only one cited external report in the supplied fields. This take does not establish current activity, attribution, prevalence, customer exposure, or guaranteed detection. Local environment evidence is required to determine whether Lua, WMI, scheduled tasks, registry persistence, and web C2-like activity are visible and appropriately controlled.
EvilBunny
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1106 | Native API | EvilBunny has used various API calls as part of its checks to see if the malware is running in a sandbox.CitationCyphort EvilBunny Dec 2014 |
| Enterprise | T1105 | Ingress Tool Transfer | EvilBunny has downloaded additional Lua scripts from the C2.CitationCyphort EvilBunny Dec 2014 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | EvilBunny has created Registry keys for persistence in |
| Enterprise | T1059.011 | Lua Sub-technique | EvilBunny has used Lua scripts to execute payloads.CitationCyphort EvilBunny |
| Enterprise | T1124 | System Time Discovery | EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to gather time metrics as part of its checks to see if the malware is running in a sandbox.CitationCyphort EvilBunny Dec 2014 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | EvilBunny has executed C2 commands directly via HTTP.CitationCyphort EvilBunny Dec 2014 |
| Enterprise | T1047 | Windows Management Instrumentation | EvilBunny has used WMI to gather information about the system.CitationCyphort EvilBunny Dec 2014 |
| Enterprise | T1497.001 | System Checks Sub-technique | EvilBunny's dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment.CitationCyphort EvilBunny Dec 2014 |
| Enterprise | T1203 | Exploitation for Client Execution | EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader.CitationCyphort EvilBunny Dec 2014 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | EvilBunny has an integrated scripting engine to download and execute Lua scripts.CitationCyphort EvilBunny Dec 2014 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | EvilBunny has executed commands via scheduled tasks.CitationCyphort EvilBunny Dec 2014 |
| Enterprise | T1070.004 | File Deletion Sub-technique | EvilBunny has deleted the initial dropper after running through the environment checks.CitationCyphort EvilBunny Dec 2014 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | EvilBunny has used time measurements from 3 different APIs before and after performing sleep operations to check and abort if the malware is running in a sandbox.CitationCyphort EvilBunny Dec 2014 |
| Enterprise | T1057 | Process Discovery | EvilBunny has used EnumProcesses() to identify how many process are running in the environment.CitationCyphort EvilBunny Dec 2014 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | EvilBunny has been observed querying installed antivirus software.CitationCyphort EvilBunny Dec 2014 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 52abd8b6f122… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cyphort EvilBunny Dec 2014
Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
Open source URL -
[2]
EvilBunny
(Citation: Cyphort EvilBunny Dec 2014)
-
[3]
mitre-attack S0396Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.