S1226 BOOKWORM
BOOKWORM is a modular trojan known to be leveraged by Mustang Panda and was first observed utilized in 2015. BOOKWORM was later updated in late 2021 and the fall of 2022 to launch shellcode represented as UUID parameters. 123
| Item | Value |
|---|---|
| ID | S1226 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 21 July 2025 |
| Last Modified | 21 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | BOOKWORM has communicated with its C2 via HTTP POST requests. 23 |
| enterprise | T1115 | Clipboard Data | BOOKWORM has used its KBLogger.dll module to steal data saved to the clipboard. 2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | BOOKWORM has created a service named Microsoft Windows DeviceSync Service at HKLM\SYSTEM\CurrentControlSet\Services\DeviceSync\ to trigger execution when the system starts and to maintain persistence. 2 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.003 | Protocol or Service Impersonation | BOOKWORM has modified HTTP POST requests to resemble legitimate communications.3 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | BOOKWORM has decoded its Base64 encoded payload prior to execution.3 BOOKWORM has also encrypted files with RC4 and has decrypted its payload prior to execution.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | BOOKWORM has used encryption and compression algorithms to obfuscate the traffic between the system and C2 server, methods observed included RC4, AES, XOR with 0x5a, and LZO. 2 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | BOOKWORM has created a hidden window when conducting key logging and clipboard theft through its KBLogger.dll module.2 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL | BOOKWORM has used DLL side-loading to execute the malicious payload. 13 BOOKWORM has also side-loaded DLL components into a legitimate process, including Microsoft Malware Protection MsMpEng.exe and Kaspersky Anti-Virus ushata.exe.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.006 | Timestomp | BOOKWORM has modified file timestamps from the export address table (EAT) to make it difficult to discern when the module was created. 3 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | BOOKWORM has used its KBLogger.dll module to capture keystrokes and stored them in a folder. 2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | BOOKWORM has created services that attempt to resemble legitimate services to include a service named Microsoft Windows DeviceSync Service.2 |
| enterprise | T1112 | Modify Registry | BOOKWORM has modified Registry key values as part of its created service DeviceSync. 2 |
| enterprise | T1106 | Native API | BOOKWORM has used various Windows API calls during execution and defense evasion.1 3 BOOKWORM has created a buffer on the heap using HeapCreate and HeapAlloc which allows for copying of shell code and then execution on the heap is initiated through callback function of legitimate API functions such as EnumChildWindows or EnumSystemLanguageGroupsA. 3 |
| enterprise | T1027 | Obfuscated Files or Information | BOOKWORM has been delivered using self-extracting RAR archives.2 |
| enterprise | T1027.013 | Encrypted/Encoded File | BOOKWORM has utilized Base64 encoding to obfuscate its payload.3 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | BOOKWORM has used valid legitimate digital signatures and certificates to evade detection. 2 |
| enterprise | T1033 | System Owner/User Discovery | BOOKWORM has obtained the username from an infected host. 2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda | 13 |
References
-
Broadcom Protection Bulletins. (2025, February 20). Bookworm malware linked to Fireant (aka Stately Tarurus) activity observed in Southeast Asia. Retrieved July 21, 2025. ↩↩↩↩
-
Robert Falcone, Mike Scott, Juan Cortes. (2015, November 10). Bookworm Trojan: A Model of Modular Architecture. Retrieved July 21, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025. ↩↩↩↩↩↩↩↩↩↩