Skip to content


SYSCON is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. SYSCON has been delivered by the CARROTBALL and CARROTBAT droppers.12

Item Value
ID S0464
Associated Names
Version 1.1
Created 02 June 2020
Last Modified 21 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.002 File Transfer Protocols SYSCON has the ability to use FTP in C2 communications.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell SYSCON has the ability to execute commands through cmd on a compromised host.2
enterprise T1057 Process Discovery SYSCON has the ability to use Tasklist to list running processes.2
enterprise T1082 System Information Discovery SYSCON has the ability to use Systeminfo to identify system information.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File SYSCON has been executed by luring victims to open malicious e-mail attachments.1