S0470: BBK
BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]
Analyst context for executives and security teams
BBK matters because ATT&CK describes it as a Windows downloader used by BRONZE BUTLER since at least 2019. A downloader is often the point where an intrusion becomes operationally serious: it can bring additional tools into the environment, communicate over web protocols, and use stealth techniques such as process injection, steganography, and deobfuscation. For leaders, the decision value is not “do we know BBK by name,” but whether Windows endpoint, network, and incident response controls can catch or contain downloader behavior before follow-on tooling expands the incident.
Executive priority
Prioritize this as a coverage-validation item for Windows environments, especially where espionage risk, sensitive intellectual property, government, biotechnology, electronics manufacturing, or industrial chemistry exposure is relevant based on the BRONZE BUTLER context supplied by ATT&CK. Executives should ask whether the organization can prove collection and review of endpoint execution, suspicious downloads, web-based command-and-control-like traffic, and post-compromise tool transfer activity. The absence of official ATT&CK detection guidance means local evidence, not checklist confidence, should drive assurance.
Technical view
ATT&CK provides no BBK-specific detection text, but the relationships give practical validation points. SOC and detection teams should test visibility for Windows command shell execution, native API and process-injection-related behavior, deobfuscation or decoding activity, ingress tool transfer, and web-protocol communications. Because BBK is identified as a downloader, IR teams should treat a suspected finding as a staging event and scope for additional payloads, downloaded files, network destinations, and injected or disguised execution contexts.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe usage and suspicious parent-child relationships
- EDR or host telemetry for process injection indicators, cross-process memory access, and unusual execution inside another process
- File creation, modification, and download evidence for newly introduced tools or payloads
- Proxy, firewall, and network metadata for HTTP/S or other web-protocol communications from Windows hosts
- DNS and destination reputation/context data associated with outbound web communications
Detection direction
- Validate that Windows endpoint telemetry is complete enough to connect command shell execution, file writes, network connections, and child processes on the same host.
- Tune for downloader patterns: new or unusual executable content arriving from external infrastructure followed by execution, command shell activity, or additional outbound web traffic.
- Use process-injection detections cautiously: focus on unusual source/target process combinations, memory permissions, and execution context rather than a single noisy signal.
- Review web-protocol traffic for abnormal destinations, uncommon user agents or request patterns, and hosts that do not normally initiate direct outbound connections; avoid assuming HTTP/S alone is suspicious.
- Account for blind spots around steganography and deobfuscation: controls that only inspect filenames or known hashes may miss embedded or decoded content.
Mitigation priorities
- Ensure Windows endpoint protection and EDR controls are deployed, healthy, and collecting process, file, memory, and network context needed to investigate downloader behavior.
- Restrict unnecessary command shell use and monitor administrative scripting paths without disrupting legitimate operations.
- Apply egress control and proxy logging so web-protocol communications from endpoints can be reviewed and constrained where business-appropriate.
- Use application control or allowlisting for high-risk systems where feasible to reduce execution of unapproved downloaded tools.
- Harden least-privilege and administrative access so injected or downloaded code has less ability to expand impact.
Analyst notes and limits
The strongest source-backed facts are that BBK is a Windows downloader, ATT&CK associates it with use by BRONZE BUTLER since at least 2019, and ATT&CK relationships map it to steganography, process injection, Windows command shell, web protocols, ingress tool transfer, native API, and deobfuscation/decode behavior. Defensive value comes from validating these behavior-level controls rather than relying on a malware-family name alone.
ATT&CK does not provide official detection guidance, aliases, labels, or object-level tactics for BBK in the supplied fields. The related technique descriptions are broader than BBK-specific procedure detail, so detection and mitigation recommendations must be confirmed against local Windows telemetry, network architecture, and incident evidence. No claim is made here about current activity, customer exposure, or guaranteed detection.
BBK
BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055 | Process Injection | BBK has the ability to inject shellcode into svchost.exe.CitationTrend Micro Tick November 2019 |
| Enterprise | T1027.003 | Steganography Sub-technique | BBK can extract a malicious Portable Executable (PE) from a photo.CitationTrend Micro Tick November 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | BBK has the ability to download files from C2 to the infected host.CitationTrend Micro Tick November 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BBK has the ability to use HTTP in communications with C2.CitationTrend Micro Tick November 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | BBK has the ability to decrypt AES encrypted payloads.CitationTrend Micro Tick November 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1106 | Native API |
Groups, software, and campaigns
G0060: BRONZE BUTLER
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 620885af646b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Tick November 2019
Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
Open source URL -
[2]
mitre-attack S0470Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.