S1081: BADHATCH
Analyst context for executives and security teams
BADHATCH is a Windows backdoor that ATT&CK associates with FIN8 activity since at least 2019 and reports as used against insurance, retail, technology, and chemical organizations across several countries. Its defensive significance is not just the malware name: the ATT&CK relationships show a broad post-compromise pattern involving discovery, command execution, persistence through scheduled tasks, process injection, command-and-control over common protocols, proxying, and exfiltration over the C2 channel.
Executive priority
Treat BADHATCH as a validation case for Windows endpoint resilience and incident response readiness in sectors called out by ATT&CK. Leaders should ask whether the organization can prove visibility into Windows execution, WMI, PowerShell, scheduled tasks, identity/group discovery, and outbound web/file-transfer traffic. Because ATT&CK provides no official detection guidance for this object, coverage should be demonstrated through telemetry and tested detections rather than assumed from malware signatures alone.
Technical view
SOC and IR teams should map BADHATCH-related coverage to the linked ATT&CK techniques: Windows command shell and PowerShell execution, WMI abuse, scheduled task creation, process/DLL/APC injection, system/user/group/process/network discovery, file deletion, obfuscation through embedded payloads, compression and command obfuscation, C2 over web and file-transfer protocols, proxy behavior, external web services, and exfiltration over the C2 channel. Prioritize correlation across endpoint process lineage, command-line content, script logging, Windows management activity, task scheduler events, module/memory behavior, and egress network telemetry.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell execution and script block/module logging where enabled
- WMI activity and remote/local management execution evidence
- Windows scheduled task creation, modification, and execution logs
- Endpoint file creation, deletion, archive/compression, and payload staging evidence
Detection direction
- Do not rely on a single BADHATCH signature; ATT&CK does not provide official detection text for this malware object.
- Build behavior-based detections around the related techniques, especially suspicious combinations of discovery followed by WMI, command shell or PowerShell execution, scheduled task persistence, and outbound C2-like traffic.
- Tune for administrative false positives: WMI, PowerShell, scheduled tasks, compression, and domain group enumeration are legitimate in many environments, so detections should consider user role, host criticality, parent process, frequency, and destination reputation/context.
- Validate visibility for process injection behaviors using EDR or equivalent endpoint telemetry; standard Windows logs alone may not expose memory-level activity.
- Correlate endpoint and network evidence for C2 over web protocols, file-transfer protocols, proxies, and external web services, because these channels may blend into normal business traffic.
Mitigation priorities
- Confirm baseline Windows hardening and least-privilege controls for users, administrators, service accounts, WMI access, and scheduled task creation.
- Restrict and monitor script and shell usage, including PowerShell and cmd, with logging sufficient for incident reconstruction.
- Control outbound traffic through authenticated proxies, egress filtering, and logging that preserves destination, protocol, user, host, and volume context.
- Harden Active Directory visibility and permissions so domain group enumeration and privileged group exposure can be investigated and reduced where possible.
- Deploy or validate endpoint controls capable of detecting suspicious process injection, DLL loading, payload staging, and file deletion behaviors.
Analyst notes and limits
The most decision-useful part of this object is the relationship set: BADHATCH is connected to many behaviors that give defenders practical test cases for Windows endpoint, identity, and network monitoring. The FIN8 relationship and sector references come from ATT&CK’s official description and external references; they should guide threat-informed prioritization but not be treated as proof of current activity in any specific environment.
ATT&CK provides no official detection text, no aliases, and no object-level tactics for BADHATCH. Local validation is required to determine whether telemetry exists, whether detections are tuned, and whether observed activity is malicious or legitimate administration. This summary does not assert active exploitation or customer exposure.
BADHATCH
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
Groups, software, and campaigns
G0061: FIN8
FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 7adec98982ef… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Gigamon BADHATCH Jul 2019
Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
Open source URL -
[2]
BitDefender BADHATCH Mar 2021
Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
Open source URL -
[3]
mitre-attack S1081Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.