Skip to content


BISCUIT is a backdoor that has been used by APT1 since as early as 2007. 1

Item Value
ID S0017
Associated Names
Version 1.2
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell BISCUIT has a command to launch a command shell on the system.2
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography BISCUIT uses SSL for encrypting C2 communications.2
enterprise T1008 Fallback Channels BISCUIT malware contains a secondary fallback command and control server that is contacted after the primary command and control server.12
enterprise T1105 Ingress Tool Transfer BISCUIT has a command to download a file from the C2 server.2
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging BISCUIT can capture keystrokes.2
enterprise T1057 Process Discovery BISCUIT has a command to enumerate running processes and identify their owners.2
enterprise T1113 Screen Capture BISCUIT has a command to periodically take screenshots of the system.2
enterprise T1082 System Information Discovery BISCUIT has a command to collect the processor type, operation system, computer name, uptime, and whether the system is a laptop or PC.2
enterprise T1033 System Owner/User Discovery BISCUIT has a command to gather the username from the system.2

Groups That Use This Software

ID Name References
G0006 APT1 1


Back to top