S0396: EvilBunny

EvilBunny matters because it represents a Windows malware sample built as an execution platform for Lua scripts, not just a single-purpose payload. For leaders, the practical concern is whether Windows monitoring can connect script-driven execution, persistence, discovery, cleanup, and web-based command-and-control behaviors into one incident story rather than treating them as isolated alerts.

Executive priority

Prioritize validation of Windows endpoint, process, registry, scheduled task, WMI, and web traffic visibility. The ATT&CK relationships show behaviors relevant to resilience and incident readiness: execution through WMI, command shell, Lua, and native APIs; persistence through scheduled tasks and Run keys; discovery of processes, system time, and security software; file deletion; ingress tool transfer; and web-protocol command and control. Because MITRE provides no official detection text for this malware, assurance should come from control testing and evidence review, not assumptions about existing tool coverage.

Technical view

SOC and IR teams should validate coverage around the related techniques for Windows: WMI execution, scheduled task creation or modification, command-shell activity, Lua/script execution where present, native API-driven execution indicators, Registry Run key and Startup Folder changes, process and security software discovery, system and time checks, file deletion, inbound tool/file transfer, and outbound HTTP/S-like command-and-control patterns. Detection should focus on behavior correlation across host and network telemetry, especially when persistence, discovery, and cleanup occur near unusual script or command execution.

Likely telemetry

Windows process creation and command-line telemetry
WMI activity and related process lineage
Scheduled Task creation, modification, and execution records
Windows Registry monitoring for Run keys and Startup Folder persistence
File creation, transfer, and deletion events

Detection direction

Test whether alerts correlate WMI, cmd.exe, scheduled tasks, Registry persistence, and suspicious outbound web traffic on the same host or user context.
Tune for administrative false positives: WMI, Task Scheduler, command shell, and Registry Run keys are legitimate Windows administration mechanisms.
Review blind spots where Lua is embedded inside another program rather than executed by a standalone interpreter.
Validate retention and searchability of host telemetry needed to investigate file deletion and tool transfer after the fact.
Use the anti-analysis relationships as triage context: system checks, time-based checks, and security software discovery may indicate malware attempting to understand or evade its environment.

Mitigation priorities

Maintain strong Windows endpoint monitoring for process, WMI, scheduled task, registry, and file activity.
Restrict and monitor administrative use of WMI, command shell, scheduled tasks, and startup persistence locations according to least privilege.
Harden client applications and prioritize vulnerability management for client-side code execution exposure, consistent with the related exploitation technique.
Control and inspect outbound web traffic where feasible, with logging sufficient for incident reconstruction.
Ensure incident response playbooks include collection of volatile process context, persistence artifacts, deleted-file evidence, and network history.

Analyst notes and limits

The supplied ATT&CK object identifies EvilBunny as a C++ Windows malware sample observed since 2011 and designed as an execution platform for Lua scripts. The most useful defensive value comes from the linked behaviors rather than from a provided malware-specific detection. Treat this as a coverage-mapping object for Windows execution, persistence, discovery, stealth, and command-and-control behaviors.

MITRE provides no official detection guidance, no aliases, no specified tactics on the malware object itself, and only one cited external report in the supplied fields. This take does not establish current activity, attribution, prevalence, customer exposure, or guaranteed detection. Local environment evidence is required to determine whether Lua, WMI, scheduled tasks, registry persistence, and web C2-like activity are visible and appropriately controlled.

Official MITRE ATT&CK definition

EvilBunny

EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 15 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1106	Native API	EvilBunny has used various API calls as part of its checks to see if the malware is running in a sandbox.[1]
Enterprise	T1105	Ingress Tool Transfer	EvilBunny has downloaded additional Lua scripts from the C2.[1]
Enterprise	T1547.001	Registry Run Keys / Startup Folder Sub-technique	EvilBunny has created Registry keys for persistence in `[HKLM\|HKCU]\…\CurrentVersion\Run`.[1]
Enterprise	T1059.011	Lua Sub-technique	EvilBunny has used Lua scripts to execute payloads.CitationCyphort EvilBunny
Enterprise	T1124	System Time Discovery	EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to gather time metrics as part of its checks to see if the malware is running in a sandbox.[1]
Enterprise	T1071.001	Web Protocols Sub-technique	EvilBunny has executed C2 commands directly via HTTP.[1]
Enterprise	T1047	Windows Management Instrumentation	EvilBunny has used WMI to gather information about the system.[1]
Enterprise	T1497.001	System Checks Sub-technique	EvilBunny's dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment.[1]
Enterprise	T1203	Exploitation for Client Execution	EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader.[1]
Enterprise	T1059.003	Windows Command Shell Sub-technique	EvilBunny has an integrated scripting engine to download and execute Lua scripts.[1]
Enterprise	T1053.005	Scheduled Task Sub-technique	EvilBunny has executed commands via scheduled tasks.[1]
Enterprise	T1070.004	File Deletion Sub-technique	EvilBunny has deleted the initial dropper after running through the environment checks.[1]
Enterprise	T1497.003	Time Based Checks Sub-technique	EvilBunny has used time measurements from 3 different APIs before and after performing sleep operations to check and abort if the malware is running in a sandbox.[1]
Enterprise	T1057	Process Discovery	EvilBunny has used EnumProcesses() to identify how many process are running in the environment.[1]
Enterprise	T1518.001	Security Software Discovery Sub-technique	EvilBunny has been observed querying installed antivirus software.[1]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.3
Created: Jun 28, 2019, 17:40 UTC (UTC+00:00)
Modified: Aug 5, 2024, 18:21 UTC (UTC+00:00)
Raw hash: 52abd8b6f1221cb7...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.3	Aug 5, 2024, 18:21 UTC (UTC+00:00)	Current bundle	`52abd8b6f122…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Cyphort EvilBunny Dec 2014

Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
Open source URL
[2]
EvilBunny

(Citation: Cyphort EvilBunny Dec 2014)
[3]
mitre-attack S0396
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams