REDBALDKNIGHT

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
REDBALDKNIGHT, also known as BRONZE BUTLER or Tick, is an Advanced Persistent Threat (APT) group that has been active since at least 2006. The group primarily targets countries in the Asia Pacific region, with a significant focus on Japanese organizations from as early as 2008. They are known for their cyberespionage activities against various sectors, including government agencies (particularly defense), biotechnology, electronics manufacturing, and industrial chemistry. The group's modus operandi typically involves spear phishing emails, employing socially engineered titles such as "disaster prevention" to deceive their targets. These phishing emails often contain decoy documents designed to trick recipients into opening them, thereby allowing the threat actor to gain entry into the organization's network. Furthermore, REDBALDKNIGHT has integrated steganography into its operations to conduct second-stage command-and-control (C&C) communication and deploy a second-stage backdoor. This technique involves hiding malicious code within image files, making it harder for cybersecurity measures to detect the threat. To mitigate the threats posed by REDBALDKNIGHT, organizations are advised to safeguard their email gateways against the group’s spear phishing methods and enforce the principle of least privilege to reduce opportunities for lateral movement within their networks. The continuous campaigns of REDBALDKNIGHT underscore the importance of implementing a robust and layered defense strategy. The group’s use of steganography, coupled with malware that can evade detection and analysis, demonstrates a high degree of proficiency and sophistication, which is increasingly gaining traction among cybercriminals.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Tick
2
Tick is a threat actor, also known as BRONZE BUTLER, that likely originates from the People's Republic of China. Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers have been investigating activities associated with this group. Tick has deployed various tools and malware fami
BRONZE BUTLER
2
Bronze Butler, also known as Tick, is a sophisticated threat actor primarily focusing on cyberespionage against Japanese enterprises. In March 2023, ESET reported an operation by Bronze Butler that compromised the update server of an East Asian Data Loss Prevention (DLP) company, notably serving gov
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Trojan
Exploit
Ransomware
Phishing
Steganography
Malware
Decoy
Lateral Move...
Apt
Malvertising
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DaserfUnspecified
1
Daserf is a sophisticated malware, custom-developed for use in Tick's cyberespionage campaigns. It is capable of exploiting and damaging computer systems by stealing personal information, disrupting operations, and relaying stolen data back to attacker-controlled servers. The Daserf Trojan employs n
XxmmUnspecified
1
xxmm is a malicious software (malware) that has been observed to be used in tandem with other malware types, including Daserf and Datper, by the threat group BRONZE BUTLER. These malware communicate with their command and control (C2) servers via HTTP, encrypting commands and data using specific alg
Xxmm2_builderUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the REDBALDKNIGHT Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
REDBALDKNIGHT’s Daserf Backdoor Now Uses Steganography
CERT-EU
a year ago
The slow Tick‑ing time bomb: Tick APT group compromise of a DLP software developer in East Asia | WeLiveSecurity
CERT-EU
a year ago
ESET: cyberspionagegroep Tick compromitteert specialist in data protection
CERT-EU
a year ago
ESET: il gruppo di cyberspionaggio Tick colpisce un’azienda di software di data-loss prevention in Asia orientale | Il corriere della sicurezza