S0234: Bandook

Bandook is a long-running, commercially available Windows remote access trojan. Its ATT&CK relationships show why it matters beyond “malware found on a host”: it can support command execution, discovery, credential collection through keylogging, screen/audio/video capture, tool transfer, C2 communications, exfiltration, process hollowing, file deletion, obfuscation, and code signing abuse. For leaders, the practical risk is loss of confidentiality and investigative visibility on Windows endpoints, especially in environments where user workstations handle sensitive data or privileged access.

Executive priority

Treat Bandook coverage as a test of Windows endpoint resilience, SOC visibility, and incident response readiness for commodity-but-capable remote access tooling. Priority questions: can the organization see suspicious command execution, PowerShell/cmd activity, process injection behavior, file transfer, unusual C2/exfiltration, and capture of credentials or sensitive user activity? Because MITRE notes use against government, financial, energy, healthcare, education, IT, and legal organizations, affected sectors should ensure detection and response evidence is strong enough for audit, regulatory, and executive incident decision-making.

Technical view

ATT&CK provides no official detection text for Bandook, so defenders should validate coverage from the related behaviors rather than rely on a malware-name alert. Focus on Windows telemetry for execution via command and scripting interpreters, PowerShell, Windows command shell, Visual Basic, Python, and Native API activity; process hollowing indicators; keylogging and screen/audio/video capture behaviors; local file and directory discovery; system network configuration discovery; tool ingress; file deletion; deobfuscation; code signing trust anomalies; non-application-layer or otherwise unusual C2; and exfiltration over the C2 channel. The object platform is Windows, even though some related techniques list broader platforms, so do not infer non-Windows Bandook exposure from this object alone.

Likely telemetry

Windows endpoint process creation and command-line telemetry
PowerShell script block, module, and operational logs where enabled
Windows command shell activity and parent-child process relationships
Endpoint detection telemetry for process hollowing, memory manipulation, and Native API abuse
File creation, modification, deletion, and tool-transfer events

Detection direction

Build detection around the ATT&CK technique chain, not only Bandook names or hashes, because the object is a commercially available RAT and MITRE supplies no official detection logic.
Correlate suspicious user-opened files with follow-on interpreter execution, tool transfer, discovery, capture activity, and outbound communications.
Tune PowerShell, cmd, Visual Basic, Python, and Native API detections for abnormal parent processes, unusual command lines, and execution from user-writable paths; account for legitimate administration to reduce false positives.
Validate endpoint visibility for process hollowing and file deletion, as these behaviors can reduce the value of simple process and file-based detections.
Review signed executable handling carefully: code signing can create misplaced trust, so signed status should not be treated as benign by itself.

Mitigation priorities

Prioritize Windows endpoint hardening and EDR coverage for user workstations and systems that handle sensitive data or privileged sessions.
Restrict and monitor script/interpreter use where business processes allow, especially PowerShell and Windows command shell execution from documents, downloads, temporary folders, or other user-controlled locations.
Strengthen user-execution controls for malicious files through attachment handling, application control, and least privilege, while maintaining user-awareness evidence for compliance programs.
Do not rely solely on code-signing trust; enforce application control and certificate validation policies appropriate to risk.
Limit outbound network paths and monitor unusual protocols or destinations to reduce C2 and exfiltration opportunity.

Analyst notes and limits

The most decision-useful context is the breadth of Bandook’s related behaviors: execution, discovery, collection, credential access, stealth, command and control, exfiltration, and defense-impairment via code signing. Dark Caracal is listed by ATT&CK as a group that uses Bandook, and the description also references Operation Manul; this should inform threat-intelligence context but should not be treated as attribution for any local incident without environment-specific evidence.

MITRE provides no official detection guidance for this object, no object-level tactics, no aliases, and only Windows as the supported platform for Bandook. Several related techniques have broader ATT&CK platform lists; those should guide general control validation but should not be used to claim Bandook operates on those platforms from this object alone. Local telemetry, malware analysis, and incident evidence are required to confirm exposure, infection, attribution, or data loss.

Official MITRE ATT&CK definition

Bandook

Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as "Operation Manul".[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 26 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1123	Audio Capture	Bandook has modules that are capable of capturing audio.[1]
Enterprise	T1041	Exfiltration Over C2 Channel	Bandook can upload files from a victim's machine over the C2 channel.[3]
Enterprise	T1059.003	Windows Command Shell Sub-technique	Bandook is capable of spawning a Windows command shell.[1][3]
Enterprise	T1056.001	Keylogging Sub-technique	Bandook contains keylogging capabilities.CitationBH Manul Aug 2016
Enterprise	T1055.012	Process Hollowing Sub-technique	Bandook has been launched by starting iexplore.exe and replacing it with Bandook's payload.[2][1][3]
Enterprise	T1105	Ingress Tool Transfer	Bandook can download files to the system.[3]
Enterprise	T1120	Peripheral Device Discovery	Bandook can detect USB devices.[1]
Enterprise	T1027.003	Steganography Sub-technique	Bandook has used .PNG images within a zip file to build the executable. [3]
Enterprise	T1083	File and Directory Discovery	Bandook has a command to list files on a system.[3]
Enterprise	T1095	Non-Application Layer Protocol	Bandook has a command built in to use a raw TCP socket.[3]
Enterprise	T1566.001	Spearphishing Attachment Sub-technique	Bandook is delivered via a malicious Word document inside a zip file.[3]
Enterprise	T1059	Command and Scripting Interpreter	Bandook can support commands to execute Java-based payloads.[3]
Enterprise	T1113	Screen Capture	Bandook is capable of taking an image of and uploading the current desktop.[2][3]
Enterprise	T1016	System Network Configuration Discovery	Bandook has a command to get the public IP address from a system.[3]
Enterprise	T1059.001	PowerShell Sub-technique	Bandook has used PowerShell loaders as part of execution.[3]
Enterprise	T1680	Local Storage Discovery	Bandook can collect information about the drives available on the system.[3]
Enterprise	T1204.002	Malicious File Sub-technique	Bandook has used lure documents to convince the user to enable macros.[3]
Enterprise	T1106	Native API	Bandook has used the ShellExecuteW() function call.[3]
Enterprise	T1059.005	Visual Basic Sub-technique	Bandook has used malicious VBA code against the target system.[3]
Enterprise	T1125	Video Capture	Bandook has modules that are capable of capturing video from a victim's webcam.[1]
Enterprise	T1059.006	Python Sub-technique	Bandook can support commands to execute Python-based payloads.[3]
Enterprise	T1070.004	File Deletion Sub-technique	Bandook has a command to delete a file.[3]
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	Bandook has used AES encryption for C2 communication.[3]
Enterprise	T1140	Deobfuscate/Decode Files or Information	Bandook has decoded its PowerShell script.[3]
Enterprise	T1005	Data from Local System	Bandook can collect local files from the system .[3]
Enterprise	T1553.002	Code Signing Sub-technique	Bandook was signed with valid Certum certificates.[3]

Associated objects

Groups, software, and campaigns

G0070: Dark Caracal

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [1]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Oct 17, 2018, 00:14 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:43 UTC (UTC+00:00)
Raw hash: 5f56acbf5e74a445...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	2.0	Apr 25, 2025, 14:43 UTC (UTC+00:00)	Current bundle	`5f56acbf5e74…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
EFF Manul Aug 2016

Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
Open source URL
[2]
Lookout Dark Caracal Jan 2018

Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
Open source URL
[3]
CheckPoint Bandook Nov 2020

Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
Open source URL
[4]
mitre-attack S0234
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams