Threat Actor Profile
High APT
Description

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)

Confidence Score
90%
Known Aliases
BRONZE BUTLER REDBALDKNIGHT Tick
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (40)
T1005 - Data from Local System
Collection
T1039 - Data from Network Shared Drive
Collection
T1113 - Screen Capture
Collection
T1560.001 - Archive via Utility
Collection
T1071.001 - Web Protocols
Command and Control
T1102.001 - Dead Drop Resolver
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1132.001 - Standard Encoding
Command and Control
T1573.001 - Symmetric Cryptography
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1027.001 - Binary Padding
Defense Evasion
T1027.003 - Steganography
Defense Evasion
T1036 - Masquerading
Defense Evasion
T1036.002 - Right-to-Left Override
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1550.003 - Pass the Ticket
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1007 - System Service Discovery
Discovery
T1018 - Remote System Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1087.002 - Domain Account
Discovery
T1124 - System Time Discovery
Discovery
T1518 - Software Discovery
Discovery
T1053.002 - At
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.005 - Visual Basic
Execution
T1059.006 - Python
Execution
T1203 - Exploitation for Client Execution
Execution
T1204.002 - Malicious File
Execution
T1189 - Drive-by Compromise
Initial Access
T1566.001 - Spearphishing Attachment
Initial Access
T1080 - Taint Shared Content
Lateral Movement
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1574.001 - DLL
Persistence
T1548.002 - Bypass User Account Control
Privilege Escalation
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['BRONZE BUTLER', 'REDBALDKNIGHT', 'Tick'],
 'created': '2018-01-16T16:13:52.465Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a '
                'cyber espionage group with likely Chinese origins that has '
                'been active since at least 2008. The group primarily targets '
                'Japanese organizations, particularly those in government, '
                'biotechnology, electronics manufacturing, and industrial '
                'chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: '
                'Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro '
                'Tick November 2019)',
 'external_references': [{'external_id': 'G0060',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0060'},
                         {'description': '(Citation: Trend Micro Daserf Nov '
                                         '2017)(Citation: Trend Micro Tick '
                                         'November 2019)',
                          'source_name': 'BRONZE BUTLER'},
                         {'description': '(Citation: Trend Micro Daserf Nov '
                                         '2017)(Citation: Trend Micro Tick '
                                         'November 2019)',
                          'source_name': 'REDBALDKNIGHT'},
                         {'description': '(Citation: Trend Micro Daserf Nov '
                                         '2017)(Citation: Symantec Tick Apr '
                                         '2016)(Citation: Trend Micro Tick '
                                         'November 2019)',
                          'source_name': 'Tick'},
                         {'description': 'Chen, J. and Hsieh, M. (2017, '
                                         'November 7). REDBALDKNIGHT/BRONZE '
                                         'BUTLER’s Daserf Backdoor Now Using '
                                         'Steganography. Retrieved December '
                                         '27, 2017.',
                          'source_name': 'Trend Micro Daserf Nov 2017',
                          'url': 'http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/'},
                         {'description': 'Counter Threat Unit Research Team. '
                                         '(2017, October 12). BRONZE BUTLER '
                                         'Targets Japanese Enterprises. '
                                         'Retrieved January 4, 2018.',
                          'source_name': 'Secureworks BRONZE BUTLER Oct 2017',
                          'url': 'https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses'},
                         {'description': 'Chen, J. et al. (2019, November). '
                                         'Operation ENDTRADE: TICK’s '
                                         'Multi-Stage Backdoors for Attacking '
                                         'Industries and Stealing Classified '
                                         'Data. Retrieved June 9, 2020.',
                          'source_name': 'Trend Micro Tick November 2019',
                          'url': 'https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf'},
                         {'description': 'DiMaggio, J. (2016, April 28). Tick '
                                         'cyberespionage group zeros in on '
                                         'Japan. Retrieved July 16, 2018.',
                          'source_name': 'Symantec Tick Apr 2016',
                          'url': 'https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan'}],
 'id': 'intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90',
 'modified': '2025-04-25T14:48:57.719Z',
 'name': 'BRONZE BUTLER',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Trend Micro Incorporated'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.3'}
Quick Actions
Related TTPs (40)
Data from Local System
Collection
Data from Network Shared Drive
Collection
Screen Capture
Collection
Archive via Utility
Collection
Web Protocols
Command and Control
View All 40 TTPs
Back to Threat Actors
Dashboard Home