Software

BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.[1][2]

BADHATCH is a backdoor that has been utilized by FIN8 since at least 2019. BADHATCH has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.[1][2]

BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. [1] [2]

BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]

BBSRAT is malware with remote access tool functionality that has been used in targeted compromises. [1]

BFG Agonizer is a wiper related to the open-source project CRYLINE-v.5.0. The malware is associated with wiping operations conducted by the Agrius threat actor.[1]

BISCUIT is a backdoor that has been used by APT1 since as early as 2007. [1]

BITSAdmin is a command line tool used to create and manage BITS Jobs. [1]

BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. [1] [2]

BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.[1][2]

BLUELIGHT is a remote access Trojan used by APT37 that was first observed in early 2021.[1]

BOLDMOVE is a type of backdoor malware written in C linked to People’s Republic of China operations from 2022 through 2023. BOLDMOVE includes both Windows and Linux variants, with some Linux variants specifically designed for FortiGate Firewall devices. BOLDMOVE is linked to zero-day exploitation of CVE-2022-42475 in FortiOSS SSL-VPNs.[1] The record for BOLDMOVE only covers known Linux variants.

BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[1][2]

BOOKWORM is a modular trojan known to be leveraged by Mustang Panda and was first observed utilized in 2015. BOOKWORM was later updated in late 2021 and the fall of 2022 to launch shellcode represented as UUID parameters. [1][2][3]

BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.[1]

BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.[1][2][3]

BOULDSPY is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that BOULDSPY primarily targeted minority groups in Iran.[1]

BPFDoor is a Linux based passive long-term backdoor used by China-based threat actors. First seen in 2021, BPFDoor is named after its usage of Berkley Packet Filter (BPF) to execute single task instructions. BPFDoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP and can start local or reverse shells that bypass firewalls using iptables.[1][2]

BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.[1][2][3]

BRICKSTORM is a cross-platform backdoor with variants written in Go and Rust that facilitates command and control, the ingress transfer of other malware, and the exfiltration of data.[1][2][3][4] BRICKSTORM has also been created from a .NET application using ahead-of-time (AOT) compilation to blend in within victim environments.[1] BRICKSTORM was first observed in April 2024.[5] BRICKSTORM has previously been leveraged by People's Republic of China (PRC) state-nexus actors identified as UNC6201, UNC5221, WARP PANDA, PunyToad, and SYLVANITE.[6][7][1][8][9][10][3][4]

BRUSHFIRE is a passive backdoor written in C that executes in-memory within an existing process. First reported in March 2025, BRUSHFIRE has been observed in activity attributed to People's Republic of China (PRC) state-affiliated threat actors, including UNC5221 and SYLVANITE.[1][2][3]

BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011. [1]

BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. [1]

BUSHWALK is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during Cutting Edge.[1][2]

Babuk is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of Babuk employ a "Big Game Hunting" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.[1][2][3]