S0465: CARROTBALL
CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has been used as a downloader to install SYSCON.[1]
Analyst context for executives and security teams
CARROTBALL matters because it is described as a Windows FTP downloader used to install another tool, SYSCON. For leaders, the practical issue is not the downloader name alone; it is whether the organization can see and control user-triggered malicious files, outbound FTP-style file transfer activity, obfuscated payloads, and tool downloads that may precede deeper compromise.
Executive priority
Treat this as a validation point for egress control, endpoint visibility, phishing-driven execution readiness, and incident response triage. Ask whether FTP and related file transfer protocols are allowed, logged, and reviewed; whether SOC teams can connect a suspicious user-opened file to subsequent outbound transfer activity; and whether audit evidence exists for controls that restrict unauthorized tool download and execution on Windows systems.
Technical view
CARROTBALL is a Windows software object with ATT&CK relationships to Obfuscated Files or Information, File Transfer Protocols, Ingress Tool Transfer, and Malicious File. Because MITRE provides no dedicated detection text, defenders should validate coverage across the behavior chain: a user opening a suspicious file, creation or execution of an unusual downloader, outbound FTP or file-transfer-protocol communication, transfer of additional tooling, and obfuscated or encoded payload artifacts. IR teams should preserve endpoint process, file, and network evidence so they can determine whether CARROTBALL-like downloader activity installed follow-on software such as SYSCON, as described in the official ATT&CK description.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- File creation, modification, and download artifacts on Windows hosts
- Endpoint security alerts for suspicious or obfuscated executables/files
- Network connection logs for outbound FTP, FTPS, TFTP, SMB, or other file transfer protocol activity where collected
- Firewall, proxy, DNS, and egress filtering logs showing external transfer destinations
Detection direction
- Validate whether outbound FTP/file transfer protocol activity from user workstations is logged and baselined; many environments allow benign file transfer traffic that can create false positives.
- Correlate suspicious file execution with subsequent external file transfer sessions and new executable/file creation on the same Windows host.
- Look for obfuscated, encoded, compressed, archived, or otherwise difficult-to-analyze payloads in the same timeframe as downloader behavior.
- Tune detections around unusual parent-child process relationships, uncommon destinations, and unexpected file transfer clients rather than relying only on a CARROTBALL-specific signature.
- Use the relationship to Malicious File to include phishing and user-execution context in hunts, while avoiding assumptions that every case begins with email unless local evidence supports it.
Mitigation priorities
- Restrict and monitor outbound file transfer protocols from endpoints, especially where business justification is weak.
- Harden Windows endpoint execution controls to reduce unauthorized downloader and follow-on tool execution.
- Maintain phishing-resistant user and mail/web controls where malicious file delivery is a plausible path, and ensure SOC teams can connect delivery evidence to endpoint execution.
- Prioritize endpoint logging and retention sufficient to reconstruct file execution, download, and network activity during incident response.
- Review egress filtering, proxy/firewall policy, and exception management as compliance evidence for control over unauthorized tool transfer.
Analyst notes and limits
The strongest decision value is in validating the organization’s ability to detect and investigate a Windows downloader using file transfer protocols and obfuscated payloads, not in treating the CARROTBALL name as a complete detection strategy. The Unit 42 reference and ATT&CK description indicate use as a downloader for SYSCON; relationships provide the defensive context for execution, command-and-control/file transfer, ingress tool transfer, and evasion behaviors.
ATT&CK lists no tactics directly on the CARROTBALL object and provides no official detection text. The supplied relationship descriptions include platforms beyond Windows, but the CARROTBALL object itself is supplied as Windows; coverage statements should therefore be validated against local Windows telemetry and network controls. No active exploitation, attribution, business impact, or guaranteed detection can be concluded from the supplied fields alone.
CARROTBALL
CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has been used as a downloader to install SYSCON.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | CARROTBALL has the ability to use FTP in C2 communications.CitationUnit 42 CARROTBAT January 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | CARROTBALL has the ability to download and install a remote payload.CitationUnit 42 CARROTBAT January 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | CARROTBALL has been executed through users being lured into opening malicious e-mail attachments.CitationUnit 42 CARROTBAT January 2020 |
| Enterprise | T1027 | Obfuscated Files or Information | CARROTBALL has used a custom base64 alphabet to decode files.CitationUnit 42 CARROTBAT January 2020 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3b5016b8a8e4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 CARROTBAT January 2020
McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
Open source URL -
[2]
mitre-attack S0465Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.