S1081: BADHATCH
Analyst context for executives and security teams
BADHATCH is a Windows backdoor that ATT&CK associates with FIN8 activity since at least 2019 and reports as used against insurance, retail, technology, and chemical organizations across several countries. Its defensive significance is not just the malware name: the ATT&CK relationships show a broad post-compromise pattern involving discovery, command execution, persistence through scheduled tasks, process injection, command-and-control over common protocols, proxying, and exfiltration over the C2 channel.
Executive priority
Treat BADHATCH as a validation case for Windows endpoint resilience and incident response readiness in sectors called out by ATT&CK. Leaders should ask whether the organization can prove visibility into Windows execution, WMI, PowerShell, scheduled tasks, identity/group discovery, and outbound web/file-transfer traffic. Because ATT&CK provides no official detection guidance for this object, coverage should be demonstrated through telemetry and tested detections rather than assumed from malware signatures alone.
Technical view
SOC and IR teams should map BADHATCH-related coverage to the linked ATT&CK techniques: Windows command shell and PowerShell execution, WMI abuse, scheduled task creation, process/DLL/APC injection, system/user/group/process/network discovery, file deletion, obfuscation through embedded payloads, compression and command obfuscation, C2 over web and file-transfer protocols, proxy behavior, external web services, and exfiltration over the C2 channel. Prioritize correlation across endpoint process lineage, command-line content, script logging, Windows management activity, task scheduler events, module/memory behavior, and egress network telemetry.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell execution and script block/module logging where enabled
- WMI activity and remote/local management execution evidence
- Windows scheduled task creation, modification, and execution logs
- Endpoint file creation, deletion, archive/compression, and payload staging evidence
Detection direction
- Do not rely on a single BADHATCH signature; ATT&CK does not provide official detection text for this malware object.
- Build behavior-based detections around the related techniques, especially suspicious combinations of discovery followed by WMI, command shell or PowerShell execution, scheduled task persistence, and outbound C2-like traffic.
- Tune for administrative false positives: WMI, PowerShell, scheduled tasks, compression, and domain group enumeration are legitimate in many environments, so detections should consider user role, host criticality, parent process, frequency, and destination reputation/context.
- Validate visibility for process injection behaviors using EDR or equivalent endpoint telemetry; standard Windows logs alone may not expose memory-level activity.
- Correlate endpoint and network evidence for C2 over web protocols, file-transfer protocols, proxies, and external web services, because these channels may blend into normal business traffic.
Mitigation priorities
- Confirm baseline Windows hardening and least-privilege controls for users, administrators, service accounts, WMI access, and scheduled task creation.
- Restrict and monitor script and shell usage, including PowerShell and cmd, with logging sufficient for incident reconstruction.
- Control outbound traffic through authenticated proxies, egress filtering, and logging that preserves destination, protocol, user, host, and volume context.
- Harden Active Directory visibility and permissions so domain group enumeration and privileged group exposure can be investigated and reduced where possible.
- Deploy or validate endpoint controls capable of detecting suspicious process injection, DLL loading, payload staging, and file deletion behaviors.
Analyst notes and limits
The most decision-useful part of this object is the relationship set: BADHATCH is connected to many behaviors that give defenders practical test cases for Windows endpoint, identity, and network monitoring. The FIN8 relationship and sector references come from ATT&CK’s official description and external references; they should guide threat-informed prioritization but not be treated as proof of current activity in any specific environment.
ATT&CK provides no official detection text, no aliases, and no object-level tactics for BADHATCH. Local validation is required to determine whether telemetry exists, whether detections are tuned, and whether observed activity is malicious or legitimate administration. This summary does not assert active exploitation or customer exposure.
BADHATCH
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1135 | Network Share Discovery | BADHATCH can check a user's access to the C$ share on a compromised machine.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1620 | Reflective Code Loading | BADHATCH can copy a large byte array of 64-bit shellcode into process memory and execute it with a call to `CreateThread`.CitationGigamon BADHATCH Jul 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | BADHATCH can utilize `powershell.exe` to execute commands on a compromised host.CitationGigamon BADHATCH Jul 2019CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1055 | Process Injection | BADHATCH can inject itself into an existing explorer.exe process by using `RtlCreateUserThread`.CitationGigamon BADHATCH Jul 2019CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1018 | Remote System Discovery | BADHATCH can use a PowerShell object such as, `System.Net.NetworkInformation.Ping` to ping a computer.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1057 | Process Discovery | BADHATCH can retrieve a list of running processes from a compromised machine.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1082 | System Information Discovery | BADHATCH can obtain current system information from a compromised machine such as the `SHELL PID`, `PSVERSION`, `HOSTNAME`, `LOGONSERVER`, `LASTBOOTUP`, OS type/version, bitness, and hostname.CitationGigamon BADHATCH Jul 2019CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1113 | Screen Capture | BADHATCH can take screenshots and send them to an actor-controlled C2 server.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | BADHATCH has an embedded second stage DLL payload within the first stage of the malware.CitationGigamon BADHATCH Jul 2019 |
| Enterprise | T1124 | System Time Discovery | BADHATCH can obtain the `DATETIME` and `UPTIME` from a compromised machine.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | BADHATCH can use `schtasks.exe` to gain persistence.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | BADHATCH malicious PowerShell commands can be encoded with base64.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BADHATCH can use HTTP and HTTPS over port 443 to communicate with actor-controlled C2 servers.CitationGigamon BADHATCH Jul 2019CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1033 | System Owner/User Discovery | BADHATCH can obtain logged user information from a compromised machine and can execute the command `whoami.exe`.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1090 | Proxy | |
| Enterprise | T1106 | Native API | BADHATCH can utilize Native API functions such as, `ToolHelp32` and `Rt1AdjustPrivilege` to enable `SeDebugPrivilege` on a compromised machine.CitationGigamon BADHATCH Jul 2019 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | BADHATCH has the ability to execute a malicious DLL by injecting into `explorer.exe` on a compromised machine.CitationGigamon BADHATCH Jul 2019 |
| Enterprise | T1046 | Network Service Discovery | BADHATCH can check for open ports on a computer by establishing a TCP connection.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | BADHATCH has the ability to load a second stage malicious DLL file onto a compromised machine.CitationGigamon BADHATCH Jul 2019 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | BADHATCH can beacon to a hardcoded C2 IP address using TLS encryption every 5 minutes.CitationGigamon BADHATCH Jul 2019 |
| Enterprise | T1027.015 | Compression Sub-technique | BADHATCH can be compressed with the ApLib algorithm.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1102 | Web Service | BADHATCH can be utilized to abuse `sslip.io`, a free IP to domain mapping service, as part of actor-controlled C2 channels.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | BADHATCH has the ability to delete PowerShell scripts from a compromised machine.CitationGigamon BADHATCH Jul 2019 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | BADHATCH can use WMI event subscriptions for persistence.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | BADHATCH can use `net.exe group "domain admins" /domain` to identify Domain Administrators.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | BADHATCH can perform pass the hash on compromised machines with x64 versions.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1482 | Domain Trust Discovery | BADHATCH can use `nltest.exe /domain_trusts` to discover domain trust relationships on a compromised machine.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | BADHATCH can use `cmd.exe` to execute commands on a compromised host.CitationGigamon BADHATCH Jul 2019CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | BADHATCH can emulate an FTP server to connect to actor-controlled C2 servers.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1047 | Windows Management Instrumentation | BADHATCH can utilize WMI to collect system information, create new processes, and run malicious PowerShell scripts on a compromised machine.CitationGigamon BADHATCH Jul 2019CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | BADHATCH can utilize the CMSTPLUA COM interface and the SilentCleanup task to bypass UAC.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1055.004 | Asynchronous Procedure Call Sub-technique | BADHATCH can inject itself into a new `svchost.exe -k netsvcs` process using the asynchronous procedure call (APC) queue.CitationGigamon BADHATCH Jul 2019CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | BADHATCH can impersonate a `lsass.exe` or `vmtoolsd.exe` token.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1049 | System Network Connections Discovery | BADHATCH can execute `netstat.exe -f` on a compromised machine.CitationBitDefender BADHATCH Mar 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | BADHATCH can exfiltrate data over the C2 channel.CitationGigamon BADHATCH Jul 2019CitationBitDefender BADHATCH Mar 2021 |
Groups, software, and campaigns
G0061: FIN8
FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 7adec98982ef… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Gigamon BADHATCH Jul 2019
Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
Open source URL -
[2]
BitDefender BADHATCH Mar 2021
Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
Open source URL -
[3]
mitre-attack S1081Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.