BRONZE BUTLER

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Bronze Butler, also known as Tick, is a sophisticated threat actor primarily focusing on cyberespionage against Japanese enterprises. In March 2023, ESET reported an operation by Bronze Butler that compromised the update server of an East Asian Data Loss Prevention (DLP) company, notably serving government and military entities. CTU researchers have linked the activities of Bronze Butler to Bronze Huntley, both reportedly located in the Northern Theater Command. The group employs a range of malware, including Datper — a Delphi-coded RAT likely created by Bronze Butler to replace Daserf. Furthermore, Bronze Butler has demonstrated advanced techniques such as creating forged Kerberos Ticket Granting Tickets (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access. The modus operandi of Bronze Butler involves compromising organizations and creating a list of files from compromised hosts and file-share servers, essentially a "shopping list". In some instances, Bronze Butler has given malware the same name as an existing document file on the file share server, causing users to unwittingly launch and install the malware on additional systems. The group also uses tools like T-SMB Scan to list available SMB hosts and screen-capture tools to gather more information. Bronze Butler's activities often evade detection, with several antivirus tools failing to scan inflated files associated with their incidents. Given the sophistication and persistent nature of Bronze Butler's activities, organizations are advised to actively monitor for signs of this threat actor. Evidence of web server scanning using URL patterns associated with Bronze Butler activity can be found in proxy log files. Additionally, the removal of the help message functionality by Bronze Butler indicates a move towards stealthier operations. As Bronze Butler continues to pose a significant threat to organizations, particularly those in Japan, robust cybersecurity measures and constant vigilance are crucial to mitigate potential attacks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
REDBALDKNIGHT
2
REDBALDKNIGHT, also known as BRONZE BUTLER or Tick, is an Advanced Persistent Threat (APT) group that has been active since at least 2006. The group primarily targets countries in the Asia Pacific region, with a significant focus on Japanese organizations from as early as 2008. They are known for th
Tick
2
Tick is a threat actor, also known as BRONZE BUTLER, that likely originates from the People's Republic of China. Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers have been investigating activities associated with this group. Tick has deployed various tools and malware fami
BRONZE HUNTLEY
1
Bronze Huntley is a recognized threat actor, known for its malicious activities in the cybersecurity domain. The group has been identified as using the ShadowPad DLL loader (secur32.dll), a notorious tool that allows them to inject malicious code into legitimate processes, thus evading detection and
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Rat
Downloader
Spearphishing
Malware
Lateral Move...
Proxy
Apt
Antivirus
Remote Code ...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DaserfUnspecified
1
Daserf is a sophisticated malware, custom-developed for use in Tick's cyberespionage campaigns. It is capable of exploiting and damaging computer systems by stealing personal information, disrupting operations, and relaying stolen data back to attacker-controlled servers. The Daserf Trojan employs n
DatperUnspecified
1
Datper is a Delphi-coded Remote Access Trojan (RAT) likely created by the threat actor group known as BRONZE BUTLER to replace an earlier malware variant, Daserf. This malware, along with Daserf and xxmm, communicates with Command and Control (C2) servers via HTTP, encrypting commands and data using
XxmmUnspecified
1
xxmm is a malicious software (malware) that has been observed to be used in tandem with other malware types, including Daserf and Datper, by the threat group BRONZE BUTLER. These malware communicate with their command and control (C2) servers via HTTP, encrypting commands and data using specific alg
ShadowPadUnspecified
1
ShadowPad is a modular backdoor malware that has been utilized by several Chinese threat groups since at least 2017. Notably, it was used as the payload in supply chain attacks targeting South Asian governments, as reported in the VB2023 paper. ShadowPad provides near-administrative capabilities in
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2016-7836Unspecified
1
None
Source Document References
Information about the BRONZE BUTLER Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
MITRE
a year ago
BRONZE BUTLER Hacker Group Targets Japanese Enterprises
MITRE
a year ago
REDBALDKNIGHT’s Daserf Backdoor Now Uses Steganography
MITRE
a year ago
Exchange servers under siege from at least 10 APT groups | WeLiveSecurity
Secureworks
a year ago
ShadowPad Malware Analysis
CERT-EU
a year ago
The slow Tick‑ing time bomb: Tick APT group compromise of a DLP software developer in East Asia | WeLiveSecurity
CERT-EU
a year ago
ESET: cyberspionagegroep Tick compromitteert specialist in data protection
CERT-EU
a year ago
ESET: il gruppo di cyberspionaggio Tick colpisce un’azienda di software di data-loss prevention in Asia orientale | Il corriere della sicurezza