BRONZE BUTLER

Threat Actor updated a month ago (2024-11-29T14:13:26.628Z)
Download STIX
Preview STIX
Bronze Butler, also known as Tick, is a sophisticated threat actor primarily focusing on cyberespionage against Japanese enterprises. In March 2023, ESET reported an operation by Bronze Butler that compromised the update server of an East Asian Data Loss Prevention (DLP) company, notably serving government and military entities. CTU researchers have linked the activities of Bronze Butler to Bronze Huntley, both reportedly located in the Northern Theater Command. The group employs a range of malware, including Datper — a Delphi-coded RAT likely created by Bronze Butler to replace Daserf. Furthermore, Bronze Butler has demonstrated advanced techniques such as creating forged Kerberos Ticket Granting Tickets (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access. The modus operandi of Bronze Butler involves compromising organizations and creating a list of files from compromised hosts and file-share servers, essentially a "shopping list". In some instances, Bronze Butler has given malware the same name as an existing document file on the file share server, causing users to unwittingly launch and install the malware on additional systems. The group also uses tools like T-SMB Scan to list available SMB hosts and screen-capture tools to gather more information. Bronze Butler's activities often evade detection, with several antivirus tools failing to scan inflated files associated with their incidents. Given the sophistication and persistent nature of Bronze Butler's activities, organizations are advised to actively monitor for signs of this threat actor. Evidence of web server scanning using URL patterns associated with Bronze Butler activity can be found in proxy log files. Additionally, the removal of the help message functionality by Bronze Butler indicates a move towards stealthier operations. As Bronze Butler continues to pose a significant threat to organizations, particularly those in Japan, robust cybersecurity measures and constant vigilance are crucial to mitigate potential attacks.
Description last updated: 2024-05-04T18:50:20.324Z
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Tick is a possible alias for BRONZE BUTLER. Tick, also known as BRONZE BUTLER, is a threat actor believed to originate from the People's Republic of China. This group has been linked to cyber-espionage activities and is known for deploying a variety of tools and malware families in their operations. Secureworks® incident responders and Counte
2
REDBALDKNIGHT is a possible alias for BRONZE BUTLER. REDBALDKNIGHT, also known as BRONZE BUTLER or Tick, is an Advanced Persistent Threat (APT) group that has been active since at least 2006. The group primarily targets countries in the Asia Pacific region, with a significant focus on Japanese organizations from as early as 2008. They are known for th
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.