Home/ Threat Actors/ BRONZE BUTLER

🌐BRONZE BUTLER

🌐 BRONZE BUTLER is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 40 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0060) ↗

14Use cases

0Articles

40Techniques

0IOCs

About this actor (MITRE)

[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)

Known aliases

BRONZE BUTLERREDBALDKNIGHTTick

Top techniques

T1003.001 · LSASS Memory T1005 · Data from Local System T1007 · System Service Discovery

All other tracked techniques

T1018 · Remote System Discovery T1027.001 · Binary Padding T1027.003 · Steganography T1036 · Masquerading T1036.002 · Right-to-Left Override T1036.005 · Match Legitimate Resource Name or Location T1039 · Data from Network Shared Drive T1053.002 · At T1053.005 · Scheduled Task T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1059.006 · Python T1070.004 · File Deletion T1071.001 · Web Protocols T1080 · Taint Shared Content T1083 · File and Directory Discovery T1087.002 · Domain Account T1102.001 · Dead Drop Resolver T1105 · Ingress Tool Transfer T1113 · Screen Capture T1124 · System Time Discovery T1132.001 · Standard Encoding T1140 · Deobfuscate/Decode Files or Information T1189 · Drive-by Compromise T1203 · Exploitation for Client Execution T1204.002 · Malicious File T1518 · Software Discovery T1547.001 · Registry Run Keys / Startup Folder T1548.002 · Bypass User Account Control T1550.003 · Pass the Ticket T1560.001 · Archive via Utility T1566.001 · Spearphishing Attachment T1573.001 · Symmetric Cryptography T1574.001 · DLL T1588.002 · Tool T1685 · Disable or Modify Tools

Detection use cases (14)

BRONZE BUTLER (Tick) — Daserf/xxmm DLL side-loading via signed-binary proxy in user-writable paths AI · profile S BRONZE BUTLER (Tick) — Office/archive-spawned 'at.exe' or schtasks persistence (Daserf installer pattern) AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match