3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
BRONZE BUTLER

BRONZE BUTLER

ID: 9e61e2004bf8300d1de4ee44a8e88dde10304
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Malware
Japan UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 38% Completeness: 33% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
REDBALDKNIGHT Tick
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry. Ref: https://attack.mitre.org/groups/G0060/


Technique Technique name Tactics Evidence
T1003.001 LSASS Memory TA0006
  • OS Credential Dumping: LSASS Memory - BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping. · ref
T1027.001 Binary Padding TA0005
  • Obfuscated Files or Information: Binary Padding - BRONZE BUTLER downloader code has included "0" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection. · ref
T1027.003 Steganography TA0005
  • Obfuscated Files or Information: Steganography - BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads. · ref
T1036.002 Right-to-Left Override TA0005
  • Right-to-Left Override - BRONZE BUTLER has used Right-to-Left Override to deceive victims into executing several strains of malware. · ref
T1036.005 Match Legitimate Resource Name or Location TA0005
  • Match Legitimate Resource Name or Location - BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems. · ref
T1053.002 At TA0002 TA0003 TA0004
  • Scheduled Task/Job: At - BRONZE BUTLER has used at to register a scheduled task to execute malware during lateral movement. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - BRONZE BUTLER has used schtasks to register a scheduled task to execute malware during lateral movement. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - BRONZE BUTLER has used PowerShell for execution. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - BRONZE BUTLER has used batch scripts and the command-line interface for execution. · ref
T1059.005 Visual Basic TA0002
  • Command and Scripting Interpreter: Visual Basic - BRONZE BUTLER has used VBS and VBE scripts for execution. · ref
T1059.006 Python TA0002
  • Command and Scripting Interpreter: Python - BRONZE BUTLER has made use of Python-based remote access tools. · ref
T1070.004 File Deletion TA0005
  • Indicator Removal: File Deletion - The BRONZE BUTLER uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - BRONZE BUTLER malware has used HTTP for C2. · ref
T1087.002 Domain Account TA0007
  • Account Discovery: Domain Account - BRONZE BUTLER has used net user /domain to identify account information. · ref
T1102.001 Dead Drop Resolver TA0011
  • Web Service: Dead Drop Resolver - BRONZE BUTLER's MSGET downloader uses a dead drop resolver to access malicious payloads. · ref
T1132.001 Standard Encoding TA0011
  • Data Encoding: Standard Encoding - Several BRONZE BUTLER tools encode data with base64 when posting it to a C2 server. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence. · ref
T1548.002 Bypass User Account Control TA0004 TA0005
  • Abuse Elevation Control Mechanism: Bypass User Account Control - BRONZE BUTLER has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation. · ref
T1550.003 Pass the Ticket TA0005 TA0008
  • Use Alternate Authentication Material: Pass the Ticket - BRONZE BUTLER has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access. · ref
T1560.001 Archive via Utility TA0009
  • Archive Collected Data: Archive via Utility - BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration. · ref
T1562.001 Disable or Modify Tools TA0005
  • Impair Defenses: Disable or Modify Tools - BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims. · ref
T1573.001 Symmetric Cryptography TA0011
  • Encrypted Channel: Symmetric Cryptography - BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server. · ref
T1574.001 DLL TA0003 TA0004 TA0005
  • Hijack Execution Flow: DLL - BRONZE BUTLER has used legitimate applications to side-load malicious DLLs. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.