Tick

Threat Actor Profile Updated a month ago
Download STIX
Preview STIX
Tick is a threat actor, also known as BRONZE BUTLER, that likely originates from the People's Republic of China. Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers have been investigating activities associated with this group. Tick has deployed various tools and malware families within compromised networks, specifically those of software companies. Their operations involve the use of Delphi backdoor Command & Control (C&C) servers, such as those hosted on www.averyspace[.]net and www.komdsecko[.]net. The cybersecurity landscape is further complicated by the various uses of the term "tick." For instance, Agent Tesla, a type of malware, calculates the difference between two tick counts to determine if it's being debugged or run in a virtual machine. In another context, social media platforms like X (formerly Twitter) use a gold tick to denote a 'Verified Organization,' while Gmail uses a blue verified tick mark to improve email delivery rates and domain reputation. Safety ratings on platforms like Facebook are also expressed in ticks, with one tick indicating a lower safety rating compared to platforms like Amazon, Lazada, and Qoo10 which have the highest rating of four ticks. Changes in the verification process on social media platforms also impact the cybersecurity landscape. The old “Twitter Blue” program assigned blue ticks to verified accounts for free, but after Elon Musk bought Twitter in October 2022 and renamed it to X, he introduced a new model. Personal accounts can now get a blue tick for an $8 monthly fee, but without identity verification. This lack of verification could potentially allow malicious actors to masquerade as legitimate entities, increasing the risk of cyber threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
REDBALDKNIGHT
2
REDBALDKNIGHT, also known as BRONZE BUTLER or Tick, is an Advanced Persistent Threat (APT) group that has been active since at least 2006. The group primarily targets countries in the Asia Pacific region, with a significant focus on Japanese organizations from as early as 2008. They are known for th
Tonto Team
2
Tonto Team is a Chinese government-aligned Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The team has been active for over a decade, utilizing various types of malware, notably the Bisonal and ShadowPad backdoors, in campaigns against entities in Japan, Russi
BRONZE BUTLER
2
Bronze Butler, also known as Tick, is a sophisticated threat actor primarily focusing on cyberespionage against Japanese enterprises. In March 2023, ESET reported an operation by Bronze Butler that compromised the update server of an East Asian Data Loss Prevention (DLP) company, notably serving gov
Winnti Group
1
The Winnti Group, a collective of Chinese Advanced Persistent Threat (APT) groups including APT41, first gained notoriety for its attacks on computer game developers. The group was initially spotted by Kaspersky in 2013, but researchers suggest that this nation-state actor has been active since at l
Mustang Panda
1
Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar
Ta428
1
TA428 is a sophisticated malware toolkit associated with several cyber threat groups, including Bronze Union (also known as LuckyMouse or APT27) and BackdoorDiplomacy. The TA428 toolkit includes various malicious software like Albaniiutas (RemShell), which is specifically mentioned in an ESET report
KeyBoy
1
KeyBoy is a malicious software (malware) primarily linked to the cyber espionage group known as TA413, which has historically targeted Tibetan entities. The malware is designed with an array of functionalities that allow it to infiltrate and exploit computer systems, including screen grabbing, deter
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Payload
Twitter
Exploit
Windows
Malware
Vulnerability
exploited
Linux
Loader
T1199
T1080
t1195.002
t1059.005
Lateral Move...
t1567.002
Phishing
PowerShell
Australia
t1132.001
Healthcare
Fortiguard
Ransomware
Chinese
Tesla
Discord
Scams
Scam
Google
Facebook
Reconnaissance
Social Media
Symantec
Whatsapp
Mandiant
Backdoor
Zero Day
Dropper
Drainer
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ShadowPadUnspecified
1
ShadowPad is a modular backdoor malware that has been utilized by several Chinese threat groups since at least 2017. Notably, it was used as the payload in supply chain attacks targeting South Asian governments, as reported in the VB2023 paper. ShadowPad provides near-administrative capabilities in
BisonalUnspecified
1
Bisonal is a multifunctional malware that has been in use for over a decade by the Tonto Team, a Chinese government-aligned Advanced Persistent Threat (APT) group. This malicious software is known for its extensive capabilities including process and file information harvesting, command and file exec
KEYPLUGUnspecified
1
Keyplug is a malware program that has been used extensively by the Chinese RedGolf Group and APT41 to target Windows and Linux systems. The modular backdoor, written in C++, supports multiple network protocols for command and control (C2) traffic, including HTTP, TCP, KCP over UDP, and WSS. It was h
ProtonUnspecified
1
Proton is a malicious software, or malware, that has been found to exploit and damage computer systems. It can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Proton has the capability to steal personal information, disrupt operation
DaserfUnspecified
1
Daserf is a sophisticated malware, custom-developed for use in Tick's cyberespionage campaigns. It is capable of exploiting and damaging computer systems by stealing personal information, disrupting operations, and relaying stolen data back to attacker-controlled servers. The Daserf Trojan employs n
Agent TeslaUnspecified
1
Agent Tesla is a form of malware, a malicious software designed to exploit and damage computer systems. It infiltrates the system often without the user's knowledge via suspicious downloads, emails, or websites, with the capability to steal personal information, disrupt operations, or hold data for
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WinntiUnspecified
1
Winnti, a threat actor or group also known as Starchy Taurus and APT41, has been active since at least 2007, first identified by Kaspersky in 2013. This Chinese state-sponsored entity is renowned for its ability to target supply chains of legitimate software to disseminate malware. The group is link
LuckyMouseUnspecified
1
LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
CalypsoUnspecified
1
Calypso is a notable threat actor group, potentially linked to the Chinese state-sponsored threat actor group APT41, alongside other groups such as Hafnium, LuckyMouse, Tick, and Winnti Group. This group has been involved in various cyber espionage campaigns using sophisticated tools like Win32/Korp
AlphvUnspecified
1
AlphV, a notorious threat actor in the cybersecurity industry, has been responsible for numerous high-profile ransomware attacks. The group's activities include the theft of 5TB of data from Morrison Community Hospital and hacking Clarion, a global manufacturer of audio and video equipment for cars.
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ProxylogonUnspecified
2
ProxyLogon is a notable software vulnerability that surfaced in the cybersecurity landscape. It was part of an exploit chain, including CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. This flaw allowed attackers to bypass authentication mechanisms and
Source Document References
Information about the Tick Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
a month ago
Fake Meeting Software Spreads macOS Infostealer
Fortinet
a month ago
New Agent Tesla Campaign Targeting Spanish-Speaking People | Fortinet Blog
CERT-EU
4 months ago
'Do right by your users': Sun Xueling criticises Meta for not doing enough to fight Facebook scams
CERT-EU
4 months ago
'Do right by your users': Sun Xueling criticises Meta for not doing enough to fight Facebook scams
CERT-EU
6 months ago
Top 4 Domain Security Solutions for Businesses in 2024
CERT-EU
6 months ago
Techrights — Links 16/01/2024: Surveillance Concerns and Software Patents Thrown Out Again
CERT-EU
6 months ago
Mandiant says X account brute forced without 2FA protection
CERT-EU
6 months ago
ICO reprimands for data breaches will not keep cyber-criminals out or encourage companies to ensure robust cyber-defences – Global Security Mag Online
CERT-EU
6 months ago
AI, Telecom, and Urban Development: Insights from Metro Edge’s CEO Craig Huffman Ahead of PTC’24 | Data Center POST
CERT-EU
6 months ago
Hacked X accounts with gold checkmarks are for sale on the dark web, says study | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Hacked X accounts with gold checkmarks are for sale on the dark web, says study | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
From Data to Design: Inside PowerHouse Data Centers’ Approach to Next-Gen Technology and Infrastructure Ahead of PTC’24 | Data Center POST
CERT-EU
6 months ago
The 10 largest crypto hacks and exploits of 2023 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Top 10 OODAcasts Episodes of 2023
CERT-EU
7 months ago
Today’s Cache | Why ransomware attacks on Indian IT firms are concerning?; Google, X ads promoting sites with crypto malware; U.S. court rules Twitter breached contract over failure to pay bonuses | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
7 months ago
Crypto drainer steals $59 million from 63k people in Twitter ad push
MITRE
7 months ago
A Summary of APT41 Targeting U.S. State Governments
CERT-EU
7 months ago
Cybercrime: Orkney community trust lost £119,000 overnight
CERT-EU
7 months ago
Taking Security Best Practice During Festive Season
CERT-EU
7 months ago
Connecting the Dots: Alan Gibbemeyer Explores Telescent’s Automated Solutions and the Future of Telecom Ahead of PTC’24 | Data Center POST