Skip to content


PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the hospitality industry. 12 3

Item Value
ID S0196
Associated Names ShellTea
Version 2.1
Created 18 April 2018
Last Modified 09 February 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
ShellTea 1

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account PUNCHBUGGY can gather user names.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols PUNCHBUGGY enables remote interaction and can obtain additional code over HTTPS GET and POST requests.231
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder PUNCHBUGGY has been observed using a Registry Run key.31
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell PUNCHBUGGY has used PowerShell scripts.1
enterprise T1059.006 Python PUNCHBUGGY has used python scripts.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging PUNCHBUGGY has saved information to a random temp file before exfil.1
enterprise T1140 Deobfuscate/Decode Files or Information PUNCHBUGGY has used PowerShell to decode base64-encoded assembly.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.009 AppCert DLLs PUNCHBUGGY can establish using a AppCertDLLs Registry key.3
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion PUNCHBUGGY can delete files written to disk.31
enterprise T1105 Ingress Tool Transfer PUNCHBUGGY can download additional files and payloads to compromised hosts.31
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.31
enterprise T1027 Obfuscated Files or Information PUNCHBUGGY has hashed most its code’s functions and encrypted payloads with base64 and XOR.1
enterprise T1129 Shared Modules PUNCHBUGGY can load a DLL using the LoadLibrary API.3
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery PUNCHBUGGY can gather AVs registered in the system.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 PUNCHBUGGY can load a DLL using Rundll32.3
enterprise T1082 System Information Discovery PUNCHBUGGY can gather system information such as computer names.1

Groups That Use This Software

ID Name References
G0061 FIN8 2


Back to top