Skip to content

S0234 Bandook

Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as “Operation Manul”.123

Item Value
ID S0234
Associated Names
Version 2.0
Created 17 October 2018
Last Modified 11 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1123 Audio Capture Bandook has modules that are capable of capturing audio.1
enterprise T1059 Command and Scripting Interpreter Bandook can support commands to execute Java-based payloads.3
enterprise T1059.001 PowerShell Bandook has used PowerShell loaders as part of execution.3
enterprise T1059.003 Windows Command Shell Bandook is capable of spawning a Windows command shell.13
enterprise T1059.005 Visual Basic Bandook has used malicious VBA code against the target system.3
enterprise T1059.006 Python Bandook can support commands to execute Python-based payloads.3
enterprise T1005 Data from Local System Bandook can collect local files from the system .3
enterprise T1140 Deobfuscate/Decode Files or Information Bandook has decoded its PowerShell script.3
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Bandook has used AES encryption for C2 communication.3
enterprise T1041 Exfiltration Over C2 Channel Bandook can upload files from a victim’s machine over the C2 channel.3
enterprise T1083 File and Directory Discovery Bandook has a command to list files on a system.3
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Bandook has a command to delete a file.3
enterprise T1105 Ingress Tool Transfer Bandook can download files to the system.3
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Bandook contains keylogging capabilities.4
enterprise T1106 Native API Bandook has used the ShellExecuteW() function call.3
enterprise T1095 Non-Application Layer Protocol Bandook has a command built in to use a raw TCP socket.3
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.003 Steganography Bandook has used .PNG images within a zip file to build the executable. 3
enterprise T1120 Peripheral Device Discovery Bandook can detect USB devices.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Bandook is delivered via a malicious Word document inside a zip file.3
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing Bandook has been launched by starting iexplore.exe and replacing it with Bandook‘s payload.213
enterprise T1113 Screen Capture Bandook is capable of taking an image of and uploading the current desktop.23
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Bandook was signed with valid Certum certificates.3
enterprise T1082 System Information Discovery Bandook can collect information about the drives available on the system.3
enterprise T1016 System Network Configuration Discovery Bandook has a command to get the public IP address from a system.3
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Bandook has used lure documents to convince the user to enable macros.3
enterprise T1125 Video Capture Bandook has modules that are capable of capturing video from a victim’s webcam.1

Groups That Use This Software

ID Name References
G0070 Dark Caracal 23


Back to top