S1226: BOOKWORM
Analyst context for executives and security teams
BOOKWORM matters because it is a Windows modular trojan associated in ATT&CK with Mustang Panda and a broad set of behaviors spanning stealth, persistence, collection, credential access, execution, and command-and-control. For leaders, the decision value is not a single malware name; it is whether Windows endpoint monitoring, service and registry governance, and web-traffic visibility can withstand malware that blends into normal system and network activity.
Executive priority
Prioritize BOOKWORM as a coverage-validation case for Windows endpoint resilience and espionage-oriented incident readiness. The ATT&CK relationships point to controls that often determine response quality: visibility into services and registry changes, DLL activity, code-signing trust decisions, clipboard/keylogging risk, timestamp manipulation, and encrypted or impersonated web C2. Executives should ask whether the organization can prove these behaviors are logged, retained, and reviewed—not merely whether a malware signature exists.
Technical view
ATT&CK lists BOOKWORM as Windows malware with no official detection text. Detection engineering should therefore focus on the related behaviors: Windows service creation/modification, registry modification, DLL abuse, hidden windows, native API execution, timestomping, obfuscated or encoded files, deobfuscation activity, code-signing anomalies, user discovery, keylogging, clipboard collection, and C2 over web protocols with protocol impersonation or symmetric encryption. The description also notes later updates launching shellcode represented as UUID parameters, so analysts should consider abnormal UUID-like parameter use in suspicious execution chains where local telemetry supports that analysis.
Likely telemetry
- Windows EDR process, module-load, command-line, and parent-child process telemetry
- Windows service creation, service modification, and service configuration history
- Windows Registry modification events, especially persistence- and service-related keys
- File creation/modification metadata, including timestamp anomalies and MFT-style forensic evidence where available
- DLL load events and executable-to-DLL path relationships
Detection direction
- Because ATT&CK provides no official detection guidance, validate behavior-based analytics rather than relying on the BOOKWORM name alone.
- Correlate service and registry changes with new executable paths, suspicious parent processes, unsigned or unusual signed binaries, and abnormal persistence timing.
- Tune DLL-abuse detections around uncommon DLL load paths, unexpected module relationships, and newly introduced DLLs near legitimate applications; account for administrative software that legitimately loads plugins or helper DLLs.
- Review file timestamp anomaly coverage, but treat timestomp detections as forensic leads because backup, deployment, and migration tools can also alter timestamps.
- Monitor web-protocol C2 patterns for unusual destinations, user agents, session shapes, or protocol mismatches; encrypted or impersonated traffic may limit content inspection, making metadata and endpoint context important.
Mitigation priorities
- Confirm Windows endpoint protection, logging, and retention cover the related behaviors before investing in malware-specific detection only.
- Restrict and audit administrative permissions that can create services, modify service configuration, alter sensitive registry areas, or install trusted binaries.
- Harden application execution paths, DLL search/load behavior, and software allowlisting where feasible to reduce abuse of legitimate-looking components.
- Strengthen code-signing validation processes, including review of unusual signers and signed binaries appearing in abnormal locations or execution chains.
- Apply egress controls and proxy monitoring for web-protocol communications, with emphasis on destinations and patterns that do not match business use.
Analyst notes and limits
This take is based on ATT&CK S1226 BOOKWORM, its official description, external references, and supplied relationships. The richest defensive value comes from the mapped techniques rather than from object-level detection guidance, which is absent. Local baselining is required because many related behaviors—web traffic, services, registry changes, signed binaries, DLL loading, and administrative hidden-window activity—can also be legitimate.
ATT&CK lists the malware platform as Windows but does not specify object-level tactics or official detections. The supplied data supports association with Mustang Panda and listed techniques, but it does not prove current activity, local exposure, specific indicators, exploit methods, or guaranteed detection coverage.
BOOKWORM
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | BOOKWORM has obtained the username from an infected host. CitationUnit42 Bookworm Nov2015 |
| Enterprise | T1553.002 | Code Signing Sub-technique | BOOKWORM has used valid legitimate digital signatures and certificates to evade detection. CitationUnit42 Bookworm Nov2015 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BOOKWORM has communicated with its C2 via HTTP POST requests. CitationUnit42 Bookworm Nov2015CitationPalo Alto Networks, Unit 42 |
| Enterprise | T1112 | Modify Registry | BOOKWORM has modified Registry key values as part of its created service `DeviceSync`. CitationUnit42 Bookworm Nov2015 |
| Enterprise | T1543.003 | Windows Service Sub-technique | BOOKWORM has created a service named `Microsoft Windows DeviceSync Service` at `HKLM\SYSTEM\CurrentControlSet\Services\DeviceSync\` to trigger execution when the system starts and to maintain persistence. CitationUnit42 Bookworm Nov2015 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | BOOKWORM has created a hidden window when conducting key logging and clipboard theft through its KBLogger.dll module.CitationUnit42 Bookworm Nov2015 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1574.001 | DLL Sub-technique | BOOKWORM has used DLL side-loading to execute the malicious payload. CitationBroadcomCitationPalo Alto Networks, Unit 42 BOOKWORM has also side-loaded DLL components into a legitimate process, including Microsoft Malware Protection `MsMpEng.exe` and Kaspersky Anti-Virus `ushata.exe`.CitationUnit42 Bookworm Nov2015 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | BOOKWORM has created services that attempt to resemble legitimate services to include a service named `Microsoft Windows DeviceSync Service`.CitationUnit42 Bookworm Nov2015 |
| Enterprise | T1056.001 | Keylogging Sub-technique | BOOKWORM has used its KBLogger.dll module to capture keystrokes and stored them in a folder. CitationUnit42 Bookworm Nov2015 |
| Enterprise | T1106 | Native API | BOOKWORM has used various Windows API calls during execution and defense evasion.CitationBroadcom CitationPalo Alto Networks, Unit 42 BOOKWORM has created a buffer on the heap using `HeapCreate` and `HeapAlloc` which allows for copying of shell code and then execution on the heap is initiated through callback function of legitimate API functions such as `EnumChildWindows` or `EnumSystemLanguageGroupsA`. CitationPalo Alto Networks, Unit 42 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | BOOKWORM has used encryption and compression algorithms to obfuscate the traffic between the system and C2 server, methods observed included RC4, AES, XOR with 0x5a, and LZO. CitationUnit42 Bookworm Nov2015 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | BOOKWORM has utilized Base64 encoding to obfuscate its payload.CitationPalo Alto Networks, Unit 42 |
| Enterprise | T1027 | Obfuscated Files or Information | BOOKWORM has been delivered using self-extracting RAR archives.CitationUnit42 Bookworm Nov2015 |
| Enterprise | T1070.006 | Timestomp Sub-technique | BOOKWORM has modified file timestamps from the export address table (EAT) to make it difficult to discern when the module was created. CitationPalo Alto Networks, Unit 42 |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | BOOKWORM has modified HTTP POST requests to resemble legitimate communications.CitationPalo Alto Networks, Unit 42 |
| Enterprise | T1115 | Clipboard Data | BOOKWORM has used its KBLogger.dll module to steal data saved to the clipboard. CitationUnit42 Bookworm Nov2015 |
Groups, software, and campaigns
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | cff78ce71b4b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Broadcom
Broadcom Protection Bulletins. (2025, February 20). Bookworm malware linked to Fireant (aka Stately Tarurus) activity observed in Southeast Asia. Retrieved July 21, 2025.
Open source URL -
[2]
Unit42 Bookworm Nov2015
Robert Falcone, Mike Scott, Juan Cortes. (2015, November 10). Bookworm Trojan: A Model of Modular Architecture. Retrieved July 21, 2025.
Open source URL -
[3]
Palo Alto Networks, Unit 42
Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025.
Open source URL -
[4]
mitre-attack S1226Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.