S0473: Avenger
Avenger is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]
Analyst context for executives and security teams
Avenger matters because ATT&CK identifies it as a Windows downloader associated with BRONZE BUTLER activity. For leaders, the practical concern is not just the downloader itself, but the follow-on pattern it enables: discovery of the host and environment, concealment through obfuscation, web-based command-and-control, and transfer of additional tools. That makes it relevant to incident triage, endpoint visibility, egress monitoring, and readiness to determine whether an initial malware finding is only the first stage of a broader intrusion.
Executive priority
Prioritize Avenger as a validation case for Windows endpoint detection, network egress governance, and incident response scoping. Because the object is linked to discovery, process injection, obfuscated or encoded files, web protocols, and ingress tool transfer, executives should ask whether teams can quickly answer: what system was infected, what it learned about the environment, whether additional files were pulled in, and what external web communications occurred. This is also useful compliance evidence: demonstrate that endpoint, network, and response processes can reconstruct downloader activity without relying on a single alert source.
Technical view
ATT&CK does not provide a dedicated detection section for Avenger, so SOC and IR teams should validate coverage through the related techniques. On Windows, focus on suspicious process behavior, process injection indicators, discovery activity for processes, files, local storage, system/network configuration, and security software, plus web-based command-and-control and file transfer evidence. Because related techniques include steganography, encrypted or encoded files, and deobfuscation/decoding, detection engineering should not depend only on static signatures or cleartext indicators. Treat any Avenger-like alert as a staging event and scope for downloaded payloads, child processes, unusual web destinations, and discovery commands or API activity around the same timeframe.
Likely telemetry
- Windows endpoint process creation and parent-child process relationships
- Endpoint detection telemetry for process injection or abnormal memory/process access
- File creation, modification, download, and quarantine events
- Command-line, script, and shell execution logs where available
- DNS, proxy, firewall, and web gateway logs for outbound HTTP/S activity
Detection direction
- Validate whether Windows endpoint telemetry can correlate discovery behavior with subsequent outbound web traffic and file downloads.
- Tune for suspicious sequencing: environment discovery, security software discovery, obfuscated file handling, deobfuscation, process injection, then ingress tool transfer or web C2.
- Account for false positives from legitimate administration, software inventory, backup, and security tools that enumerate systems, processes, storage, or installed defenses.
- Do not rely solely on static malware names; the related obfuscation and steganography techniques imply that content-based detection may be incomplete.
- Use relationship context carefully: ATT&CK links Avenger to BRONZE BUTLER, but local attribution should require additional evidence beyond the malware name.
Mitigation priorities
- Ensure Windows endpoints have centralized process, file, and network telemetry sufficient for post-compromise scoping.
- Restrict and monitor unnecessary outbound web access from workstations and servers, especially to untrusted destinations.
- Harden execution controls and least privilege to reduce the ability of a downloader to stage or run additional tools.
- Maintain response playbooks for downloader infections that include containment, egress review, payload search, and timeline reconstruction.
- Validate that security controls can inspect or flag encoded, encrypted, or suspiciously packaged files without assuming cleartext indicators will be present.
Analyst notes and limits
The strongest decision value is using Avenger as a test of first-stage malware readiness: can the organization distinguish a contained downloader event from a broader intrusion that performed discovery, evasion, C2, and tool transfer? The BRONZE BUTLER relationship adds threat-intelligence context, especially for organizations concerned with espionage activity affecting Japanese government, biotechnology, electronics manufacturing, or industrial chemistry sectors, but it should not be treated as attribution by itself.
ATT&CK provides no official detection guidance for Avenger, no object-level tactics, and only Windows as the malware platform. Several related techniques list broader platforms, but those platform lists should not be interpreted as Avenger platform support. Local telemetry, samples, alerts, and incident evidence are required to confirm behavior, scope, and attribution.
Avenger
Avenger is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Avenger has the ability to identify installed anti-virus products on a compromised host.CitationTrend Micro Tick November 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Avenger has the ability to use HTTP in communication with C2.CitationTrend Micro Tick November 2019 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Avenger has the ability to XOR encrypt files to be sent to C2.CitationTrend Micro Tick November 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Avenger has the ability to decrypt files downloaded from C2.CitationTrend Micro Tick November 2019 |
| Enterprise | T1083 | File and Directory Discovery | Avenger has the ability to browse files in directories such as Program Files and the Desktop.CitationTrend Micro Tick November 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | Avenger can identify the domain of the compromised host.CitationTrend Micro Tick November 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | Avenger has the ability to download files from C2 to a compromised host.CitationTrend Micro Tick November 2019 |
| Enterprise | T1055 | Process Injection | Avenger has the ability to inject shellcode into svchost.exe.CitationTrend Micro Tick November 2019 |
| Enterprise | T1027.003 | Steganography Sub-technique | Avenger can extract backdoor malware from downloaded images.CitationTrend Micro Tick November 2019 |
| Enterprise | T1680 | Local Storage Discovery | Avenger has the ability to identify the host volume ID.CitationTrend Micro Tick November 2019 |
| Enterprise | T1082 | System Information Discovery | Avenger has the ability to identify the OS architecture on a compromised host.CitationTrend Micro Tick November 2019 |
Groups, software, and campaigns
G0060: BRONZE BUTLER
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | f28450912273… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Tick November 2019
Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
Open source URL -
[2]
mitre-attack S0473Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.