Skip to content


CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used to install SYSCON and has infrastructure overlap with KONNI.12

Item Value
ID S0462
Associated Names
Version 1.0
Created 02 June 2020
Last Modified 15 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell CARROTBAT has the ability to execute command line arguments on a compromised host.2
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion CARROTBAT has the ability to delete downloaded files from a compromised host.1
enterprise T1105 Ingress Tool Transfer CARROTBAT has the ability to download and execute a remote file via certutil.1
enterprise T1027 Obfuscated Files or Information CARROTBAT has the ability to download a base64 encoded payload and execute obfuscated commands on the infected host.1
enterprise T1082 System Information Discovery CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.12


Back to top