Skip to content


BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.12

Item Value
ID S0360
Associated Names
Version 1.2
Created 18 February 2019
Last Modified 09 February 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell BONDUPDATER is written in PowerShell.12
enterprise T1059.003 Windows Command Shell BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.2
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms BONDUPDATER uses a DGA to communicate with command and control servers.1
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window BONDUPDATER uses -windowstyle hidden to conceal a PowerShell window that downloads a payload.1
enterprise T1105 Ingress Tool Transfer BONDUPDATER can download or upload files from its C2 server.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task BONDUPDATER persists using a scheduled task that executes every minute.2

Groups That Use This Software

ID Name References
G0049 OilRig 1 2