Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0472: down_new

down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]

EnterpriseS0472MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

down_new is a Windows downloader associated in ATT&CK with BRONZE BUTLER and linked to discovery, web-based command-and-control, encoded/encrypted communications, and tool transfer behaviors. For leaders, the practical risk is not just the downloader itself, but its role as an entry point for follow-on activity after it learns about the host, installed software, security tools, files, storage, and network configuration.

Executive priority

Treat this as a resilience and readiness check for Windows endpoint visibility, outbound web traffic governance, and incident response triage. Organizations with sensitive government, biotechnology, electronics manufacturing, or industrial chemistry operations should ensure they can prove whether Windows systems are collecting the evidence needed to identify downloader activity, discovery clusters, and external tool transfer. Because ATT&CK provides no official detection text for this object, priority should be on validating coverage rather than assuming existing controls detect it.

Technical view

SOC and IR teams should validate visibility for Windows malware behavior mapped to discovery and command-and-control relationships: System Network Configuration Discovery, Process Discovery, File and Directory Discovery, Software Discovery, Security Software Discovery, Local Storage Discovery, Web Protocols, Ingress Tool Transfer, Standard Encoding, and Symmetric Cryptography. Detection engineering should look for suspicious clustering: a process that performs multiple local discovery actions, checks installed or security software, enumerates storage or files, and then communicates over web protocols or retrieves additional content. Because the object is a downloader, response playbooks should include scoping for secondary payloads or files transferred after initial execution.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • Parent-child process relationships around discovery utilities or unusual executables
  • File creation, modification, and download artifacts on Windows hosts
  • Windows network connection telemetry from endpoint sensors
  • HTTP/HTTPS proxy or web gateway logs

Detection direction

  • Validate that Windows endpoints capture enough process, file, and network context to correlate discovery activity with outbound web communications.
  • Tune for behavior chains rather than a single indicator: discovery of processes, files, software, security tools, storage, or network configuration followed by web protocol communications or file ingress is more meaningful than any one event alone.
  • Review blind spots where encrypted or encoded command-and-control content may reduce payload inspection value; emphasize metadata, process lineage, timing, and destination patterns.
  • Account for false positives from administrative tooling, software inventory agents, vulnerability scanners, and endpoint management platforms that legitimately enumerate systems or retrieve files.
  • Use the BRONZE BUTLER relationship as threat-intelligence context for prioritization, not as proof of attribution in a local incident.

Mitigation priorities

  • Prioritize endpoint hardening and execution controls that reduce the chance of unapproved downloaded tools running on Windows systems.
  • Restrict and monitor outbound web traffic from endpoints, especially where direct internet access is not operationally required.
  • Maintain reliable software and security-tool inventories so unexpected discovery of defensive tooling can be investigated quickly.
  • Ensure incident response procedures include containment and scoping for follow-on downloads, not just removal of the initial downloader.
  • Preserve audit evidence showing endpoint logging, web traffic monitoring, and response playbooks are in place for downloader-led intrusions.
Analyst notes and limits

ATT&CK identifies down_new as a downloader used by BRONZE BUTLER since at least 2019, with Windows as the supplied platform. The relationship set gives the most useful defensive context: discovery of host/network/software/security/storage information, web-based C2, encoded or encrypted communications, and ingress tool transfer.

Official detection guidance is not provided. ATT&CK tactics for the malware object are not specified, and local prevalence, indicators, payload names, infrastructure, and active exploitation are not supplied. Environment-specific telemetry and incident evidence are required before making exposure, attribution, or impact claims.

Official MITRE ATT&CK definition

down_new

down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

10 rows
Domain ID Name Relationship / procedure
Enterprise T1105 Ingress Tool Transfer

down_new has the ability to download files to the compromised host.CitationTrend Micro Tick November 2019
Enterprise T1680 Local Storage Discovery

down_new has the ability to identify the system volume information of a compromised host.CitationTrend Micro Tick November 2019
Enterprise T1132.001 Standard Encoding Sub-technique

down_new has the ability to base64 encode C2 communications.CitationTrend Micro Tick November 2019
Enterprise T1083 File and Directory Discovery

down_new has the ability to list the directories on a compromised host.CitationTrend Micro Tick November 2019
Enterprise T1057 Process Discovery

down_new has the ability to list running processes on a compromised host.CitationTrend Micro Tick November 2019
Enterprise T1518.001 Security Software Discovery Sub-technique

down_new has the ability to detect anti-virus products and processes on a compromised host.CitationTrend Micro Tick November 2019
Enterprise T1071.001 Web Protocols Sub-technique

down_new has the ability to use HTTP in C2 communications.CitationTrend Micro Tick November 2019
Enterprise T1518 Software Discovery

down_new has the ability to gather information on installed applications.CitationTrend Micro Tick November 2019
Enterprise T1016 System Network Configuration Discovery

down_new has the ability to identify the MAC address of a compromised host.CitationTrend Micro Tick November 2019
Enterprise T1573.001 Symmetric Cryptography Sub-technique

down_new has the ability to AES encrypt C2 communications.CitationTrend Micro Tick November 2019
Associated objects

Groups, software, and campaigns

Group Enterprise

G0060: BRONZE BUTLER

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]

Relationship explorer

All related ATT&CK context

uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1680: Local Storage Discovery Enterprise uses · Technique T1132.001: Standard Encoding Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1518.001: Security Software Discovery Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1518: Software Discovery Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Group G0060: BRONZE BUTLER Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
53959702c86d4a9e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 53959702c86d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Trend Micro Tick November 2019

    Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.

    Open source URL
  2. [2]
    mitre-attack S0472
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use