Skip to content


ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool–with keylogging and screen capture functionality–used for information gathering on compromised systems.1

Item Value
ID S0593
Associated Names
Version 1.0
Created 18 March 2021
Last Modified 15 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell ECCENTRICBANDWAGON can use cmd to execute commands on a victim’s machine.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging ECCENTRICBANDWAGON has stored keystrokes and screenshots within the %temp%\GoogleChrome, %temp%\Downloads, and %temp%\TrendMicroUpdate directories.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion ECCENTRICBANDWAGON can delete log files generated from the malware stored at C:\windows\temp\tmp0207.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging ECCENTRICBANDWAGON can capture and store keystrokes.1
enterprise T1027 Obfuscated Files or Information ECCENTRICBANDWAGON has encrypted strings with RC4.1
enterprise T1113 Screen Capture ECCENTRICBANDWAGON can capture screenshots and store them locally.1

Groups That Use This Software

ID Name References
G0082 APT38 2
G0032 Lazarus Group 1