S0593: ECCENTRICBANDWAGON
ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.[1]
Analyst context for executives and security teams
ECCENTRICBANDWAGON is a Windows remote access Trojan described by ATT&CK as a reconnaissance and information-gathering tool with keylogging and screen capture capability. For leaders, the material risk is not just malware execution; it is silent collection from already-compromised endpoints, including credentials and sensitive on-screen information that can affect identity security, incident scope, and business confidentiality.
Executive priority
Prioritize this behavior where Windows endpoints handle privileged access, financial operations, sensitive communications, or regulated data. Because ATT&CK provides no official detection guidance for this software, leadership should ask whether endpoint telemetry, credential-protection controls, and incident response playbooks can prove collection activity such as keylogging, screen capture, local staging, command shell use, obfuscation, and file deletion. ATT&CK relationships also associate this malware with Lazarus Group and APT38, so threat intelligence teams should treat it as relevant to North Korea-linked intrusion tradecraft without assuming local exposure or active targeting.
Technical view
SOC and IR teams should validate coverage around the related ATT&CK behaviors: T1056.001 Keylogging, T1113 Screen Capture, T1059.003 Windows Command Shell, T1074.001 Local Data Staging, T1027 Obfuscated Files or Information, and T1070.004 File Deletion. Focus on Windows hosts and correlate suspicious process execution, command shell activity, unusual file creation/staging patterns, screenshot-like artifacts, possible input-capture behavior, obfuscated payloads, and cleanup activity. Because no official detection text is supplied, detections should be tested against local baselines and incident evidence rather than assumed from the malware name alone.
Likely telemetry
- Windows endpoint detection and response events
- Process creation and command-line telemetry, especially cmd.exe activity
- File creation, modification, staging, and deletion events
- Security tool alerts for obfuscated or packed files
- User-session activity evidence relevant to screen capture or input capture
Detection direction
- Build behavior-based detections around the related techniques rather than relying only on static malware identifiers.
- Correlate command shell execution with local data staging, screen capture/keylogging indicators, and subsequent file deletion.
- Tune for false positives from legitimate administration, troubleshooting tools, accessibility software, screen recording tools, and endpoint management activity.
- Validate whether endpoint logging retains enough detail after file deletion or cleanup behavior.
- Use ATT&CK group relationships as threat-intelligence context, not as proof of attribution in an incident.
Mitigation priorities
- Harden and monitor Windows endpoints that handle privileged or sensitive workflows.
- Limit unnecessary command shell use through administrative controls where operationally feasible.
- Strengthen credential protections and require rapid credential rotation when keylogging is suspected.
- Ensure EDR, logging, and retention are sufficient to reconstruct collection, staging, and deletion activity.
- Prepare IR procedures for suspected RAT activity, including host isolation, forensic preservation, identity review, and scoping of exposed data.
Analyst notes and limits
This take is based on ATT&CK S0593 and supplied relationships. The official object identifies ECCENTRICBANDWAGON as a RAT used by North Korean cyber actors and first identified in August 2020, with keylogging and screen capture functionality for reconnaissance and information gathering. ATT&CK relationships connect it to Lazarus Group, APT38, and several techniques useful for detection planning.
ATT&CK provides no official detection section, no explicit tactics on the malware object, no aliases, and only Windows as the platform. Local validation is required to determine whether telemetry exists, whether detections are effective, and whether any observed activity is attributable to this malware or related groups.
ECCENTRICBANDWAGON
ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | ECCENTRICBANDWAGON can delete log files generated from the malware stored at |
| Enterprise | T1027 | Obfuscated Files or Information | ECCENTRICBANDWAGON has encrypted strings with RC4.CitationCISA EB Aug 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | ECCENTRICBANDWAGON can use cmd to execute commands on a victim’s machine.CitationCISA EB Aug 2020 |
| Enterprise | T1113 | Screen Capture | ECCENTRICBANDWAGON can capture screenshots and store them locally.CitationCISA EB Aug 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | ECCENTRICBANDWAGON can capture and store keystrokes.CitationCISA EB Aug 2020 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | ECCENTRICBANDWAGON has stored keystrokes and screenshots within the |
Groups, software, and campaigns
G0082: APT38
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1b710678d33f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA EB Aug 2020
Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
Open source URL -
[2]
ECCENTRICBANDWAGON
(Citation: CISA EB Aug 2020)
-
[3]
mitre-attack S0593Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.