Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0471: build_downer

build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]

EnterpriseS0471MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

build_downer is a Windows downloader associated in ATT&CK with BRONZE BUTLER since at least 2019. Its business significance is not the downloader label alone: the related behaviors point to a foothold component that may try to blend in, persist through startup mechanisms, discover local/security context, and retrieve additional tooling. For leaders, this makes it a validation case for whether endpoint, network, and persistence monitoring can expose early-stage intrusion activity before follow-on tools arrive.

Executive priority

Prioritize this as a control-coverage and readiness question rather than a standalone malware panic item. Ask whether Windows endpoints have auditable visibility into startup persistence, suspicious task/service naming, downloader-style network activity, and security-tool discovery. For organizations with exposure similar to the ATT&CK group context—government, biotechnology, electronics manufacturing, and industrial chemistry in Japan—the relationship context may support threat-informed prioritization, but local risk should be confirmed with your own intelligence and environment data.

Technical view

ATT&CK provides no official detection text or tactics for the malware object, so SOC and IR teams should validate coverage through its relationships: T1547.001 Registry Run Keys / Startup Folder for Windows persistence, T1036.004 masqueraded task or service names for stealth, T1027.003 steganography for hidden content, T1105 ingress tool transfer, T1106 native API execution, and discovery behaviors including system time, security software, and local storage discovery. Treat this as a Windows endpoint investigation pattern: correlate new or unusual autoruns, task/service metadata, file creation, and outbound retrieval activity with discovery of security products or host environment details.

Likely telemetry

  • Windows endpoint process creation and command-line or equivalent execution metadata
  • Registry Run key and Startup folder modification events
  • Scheduled task and service creation or modification records, including names, display names, descriptions, and binary paths
  • Endpoint file creation and modification events for downloaded or staged files
  • Network connection, proxy, DNS, and egress logs showing external file retrieval or command-and-control-like transfer activity

Detection direction

  • Because MITRE provides no official detection guidance for S0471, build detections around the related behaviors and require correlation rather than single-event alerting.
  • Tune for suspicious autorun creation on Windows, especially newly created Run key values or Startup folder entries tied to unusual paths, unsigned or newly observed binaries, or recent downloads.
  • Review task and service names for masquerading: near-matches to legitimate names, misleading descriptions, or mismatches between service name, display name, path, and publisher can be higher-signal than name alone.
  • Correlate downloader-style external transfer with subsequent file execution, persistence creation, or discovery of security software to reduce false positives from legitimate updaters and administration tools.
  • Validate whether the SOC can see discovery behaviors; many environments log process and network data but miss registry, task/service metadata, or security-tool enumeration at useful fidelity.

Mitigation priorities

  • Confirm baseline Windows hardening and monitoring for autoruns, Startup folders, scheduled tasks, and services before focusing on malware-family-specific indicators.
  • Restrict and monitor unnecessary outbound transfer paths, and ensure proxy/DNS/network logs can be tied back to endpoint and user context.
  • Harden endpoint controls against unauthorized persistence changes and ensure changes generate reviewable audit evidence.
  • Maintain EDR/AV and centralized logging coverage on Windows systems, with attention to tamper-resistant collection for discovery and persistence events.
  • Use threat-informed exercises to test whether an incident team can pivot from a downloader alert to persistence, discovery, file transfer, and potential follow-on tooling evidence.
Analyst notes and limits

The strongest decision value comes from the relationships rather than the sparse malware description. build_downer is documented as a downloader used by BRONZE BUTLER, and the related techniques describe stealth, persistence, transfer, execution, and discovery behaviors. This supports defensive validation of early-stage intrusion visibility, especially on Windows endpoints.

ATT&CK supplies no official detection text, no explicit malware tactics, no aliases, and no labels for this object. Relationship descriptions are technique-level context and should not be treated as proof that every observed sample uses every behavior in every environment. Local telemetry, malware analysis, and intelligence are required before making exposure, attribution, or incident-impact conclusions.

Official MITRE ATT&CK definition

build_downer

build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

8 rows
Domain ID Name Relationship / procedure
Enterprise T1106 Native API

build_downer has the ability to use the WinExec API to execute malware on a compromised host.[1]
Enterprise T1036.004 Masquerade Task or Service Sub-technique

build_downer has added itself to the Registry Run key as "NVIDIA" to appear legitimate.[1]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

build_downer has the ability to add itself to the Registry Run key for persistence.[1]
Enterprise T1027.003 Steganography Sub-technique

build_downer can extract malware from a downloaded JPEG.[1]
Enterprise T1124 System Time Discovery

build_downer has the ability to determine the local time to ensure malware installation only happens during the hours that the infected system is active.[1]
Enterprise T1518.001 Security Software Discovery Sub-technique

build_downer has the ability to detect if the infected host is running an anti-virus process.[1]
Enterprise T1680 Local Storage Discovery

build_downer has the ability to send system volume information to C2.[1]
Enterprise T1105 Ingress Tool Transfer

build_downer has the ability to download files from C2 to the infected host.[1]
Associated objects

Groups, software, and campaigns

Group Enterprise

G0060: BRONZE BUTLER

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]

Relationship explorer

All related ATT&CK context

uses · Group G0060: BRONZE BUTLER Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1036.004: Masquerade Task or Service Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1027.003: Steganography Enterprise uses · Technique T1124: System Time Discovery Enterprise uses · Technique T1518.001: Security Software Discovery Enterprise uses · Technique T1680: Local Storage Discovery Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2e6fdbcb8d53f822...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2e6fdbcb8d53…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Trend Micro Tick November 2019

    Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.

    Open source URL
  2. [2]
    mitre-attack S0471
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use