S0464: SYSCON
Analyst context for executives and security teams
SYSCON is a Windows backdoor documented by ATT&CK and associated in the source reporting with campaigns using North Korean themes. Its practical significance is not the malware name alone, but the combination of user-driven execution, host discovery, command shell use, and file-transfer-based command-and-control relationships. For security leaders, this points to a common business problem: a phishing-delivered file can become an interactive foothold if endpoint, network, and response telemetry are not connected.
Executive priority
Prioritize validation of controls around malicious file execution, Windows command-shell monitoring, endpoint discovery activity, and file-transfer protocol visibility. This object is relevant to incident readiness because the supplied relationships show behaviors that help an intruder understand a host and communicate externally. Leaders should ask whether SOC and IR teams can reconstruct: who opened the file, what process launched, what system/process discovery occurred, and whether outbound file-transfer-like traffic followed.
Technical view
ATT&CK lists SYSCON as Windows malware with no official detection text provided. Relationship context links it to Malicious File, Windows Command Shell, Process Discovery, System Information Discovery, and File Transfer Protocols. SOC teams should therefore validate coverage across the infection chain rather than relying on a SYSCON-specific signature: suspicious document or file execution, child process creation involving cmd.exe, discovery commands or API-driven process/system enumeration, and outbound protocol activity consistent with file transfer command-and-control. Operation Honeybee is listed as a campaign using this object, but local detection should be behavior-led and environment-specific.
Likely telemetry
- Endpoint process creation and parent-child process relationships on Windows
- File execution events, especially user-opened files and spawned child processes
- Command-line logging for Windows command shell activity
- Endpoint discovery indicators such as process listing and system information queries
- Network connection logs and proxy/firewall metadata for file-transfer protocols
Detection direction
- Build or validate detections that correlate user-opened files with unusual child processes, especially Windows command shell execution.
- Tune for discovery behavior after initial execution, including process discovery and system information discovery occurring in close sequence.
- Review visibility for file-transfer protocols used outbound from workstations, including whether allowed business use creates false positives that require baselining.
- Because ATT&CK provides no official detection text for SYSCON, avoid assuming malware-family coverage; test behavioral analytics and incident reconstruction capability.
- Use the campaign and dropper relationships as context for threat hunting, but do not treat them as proof of current activity in the environment without local evidence.
Mitigation priorities
- Reduce malicious-file execution risk through user-facing controls, attachment handling, and endpoint prevention appropriate to Windows endpoints.
- Restrict and monitor unnecessary command shell usage where business operations allow, with emphasis on high-risk user workstations.
- Harden egress controls and logging for file-transfer protocols so unusual outbound communications can be reviewed quickly.
- Ensure endpoint logging, network telemetry, and IR playbooks can connect the initial file, process activity, discovery behavior, and outbound communication into one timeline.
- Use tabletop or detection validation exercises to confirm that SOC escalation paths work when a phishing-style execution leads to backdoor-like behavior.
Analyst notes and limits
The most useful defensive framing is behavior-chain validation: malicious file execution leading to command execution, discovery, and external communications. The supplied ATT&CK object names CARROTBALL and CARROTBAT as delivery mechanisms and lists Operation Honeybee as a campaign relationship, which can guide intelligence enrichment but should not replace local telemetry analysis.
ATT&CK does not provide official detection guidance, aliases, labels, or tactics directly on the SYSCON object. The object platform is Windows; related technique descriptions include broader platforms that should not be interpreted as SYSCON platform support. No active exploitation, customer exposure, or guaranteed detection coverage can be concluded from the supplied fields alone.
SYSCON
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | SYSCON has the ability to use Systeminfo to identify system information.CitationUnit 42 CARROTBAT January 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1204.002 | Malicious File Sub-technique | SYSCON has been executed by luring victims to open malicious e-mail attachments.CitationUnit 42 CARROTBAT November 2018 |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | SYSCON has the ability to use FTP in C2 communications.CitationUnit 42 CARROTBAT November 2018CitationUnit 42 CARROTBAT January 2020 |
Groups, software, and campaigns
C0006: Operation Honeybee
Operation Honeybee was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. Operation Honeybee initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign "Honeybee" after the author name discovered in malicious Word documents.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 42e87ca6b518… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 CARROTBAT November 2018
Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
Open source URL -
[2]
Unit 42 CARROTBAT January 2020
McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
Open source URL -
[3]
mitre-attack S0464Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.