S0469: ABK
ABK is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]
Analyst context for executives and security teams
ABK matters because it is a Windows downloader associated in ATT&CK with BRONZE BUTLER activity. A downloader is often an early foothold component: its business significance is not the file alone, but whether it can retrieve additional tooling, blend into web traffic, inspect defenses, and execute commands before responders understand scope.
Executive priority
Treat ABK as a validation point for endpoint and network readiness against staged intrusions. Leaders should ask whether Windows endpoint telemetry, web egress monitoring, and incident response playbooks can connect downloader activity to follow-on tool transfer, command shell execution, process injection, and security tool discovery. For organizations resembling the sectors named in the related BRONZE BUTLER description, this also supports threat-informed prioritization, but local exposure and targeting must be confirmed with internal intelligence.
Technical view
ATT&CK provides no official detection text for ABK, so coverage should be built from the related behaviors: Windows command shell execution, process injection, web-protocol command and control, ingress tool transfer, deobfuscation/decoding, steganography, and security software discovery. SOC teams should validate whether alerts correlate suspicious downloader-like network activity with new file writes, child process creation, command shell use, code-injection indicators, and enumeration of security tools on Windows hosts.
Likely telemetry
- Windows endpoint process creation and parent-child process telemetry
- Command-line logging for cmd.exe and related shell activity
- Endpoint file creation/modification events for downloaded or decoded payloads
- EDR telemetry for process injection or unusual cross-process memory activity
- Network proxy, DNS, firewall, and web egress logs for HTTP/S-like outbound traffic
Detection direction
- Because ATT&CK does not provide ABK-specific detection guidance, prioritize behavior-based detections mapped to the related techniques rather than relying only on names or hashes.
- Tune for sequences: external web communication followed by file transfer, decoding/deobfuscation, command shell execution, or process injection on a Windows endpoint.
- Review false positives from legitimate software updaters, administrative scripts, and security tools that download files, invoke cmd.exe, or inspect installed defenses.
- Validate visibility into web traffic metadata; encrypted or common web protocols can reduce inspection value if proxy, DNS, and endpoint telemetry are not correlated.
- Use the BRONZE BUTLER relationship as threat-intelligence context, not proof of attribution in an incident without corroborating evidence.
Mitigation priorities
- Harden Windows endpoints with least privilege, application control where feasible, and controls that restrict unnecessary command shell execution.
- Limit and monitor outbound web access from endpoints and servers; require proxying and logging where operationally practical.
- Ensure EDR or equivalent endpoint controls can detect suspicious process injection, downloaded payload execution, and security software discovery behaviors.
- Maintain incident response procedures for staged malware: preserve endpoint artifacts, collect network indicators, identify downloaded follow-on tools, and scope related hosts.
- Use threat-informed testing to confirm telemetry and alerting for the mapped ATT&CK techniques rather than assuming ABK-specific coverage.
Analyst notes and limits
The supplied ATT&CK object identifies ABK as a Windows downloader used by BRONZE BUTLER since at least 2019 and links it to several techniques that shape defensive validation. The object has no official tactics listed and no official detection text, so the practical take is driven by the malware type, Windows platform, external reference, and technique relationships.
This summary does not establish current activity, customer exposure, attribution in any specific incident, or guaranteed detection. Local environment evidence, malware samples, network indicators, and endpoint telemetry are required to determine relevance and coverage.
ABK
ABK is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | ABK has the ability to identify the installed anti-virus product on the compromised host.CitationTrend Micro Tick November 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ABK has the ability to decrypt AES encrypted payloads.CitationTrend Micro Tick November 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | ABK has the ability to use HTTP in communications with C2.CitationTrend Micro Tick November 2019 |
| Enterprise | T1055 | Process Injection | ABK has the ability to inject shellcode into svchost.exe.CitationTrend Micro Tick November 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | ABK has the ability to download files from C2.CitationTrend Micro Tick November 2019 |
| Enterprise | T1027.003 | Steganography Sub-technique | ABK can extract a malicious Portable Executable (PE) from a photo.CitationTrend Micro Tick November 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique |
Groups, software, and campaigns
G0060: BRONZE BUTLER
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | eb6e15e05b8b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Tick November 2019
Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
Open source URL -
[2]
mitre-attack S0469Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.