BUGHATCH
BUGHATCH is a downloader/backdoor associated with Cuba ransomware activity and the UNC2596 intrusion cluster. Mandiant describes it as a downloader that executes arbitrary code on a compromised system after retrieving payloads from a C2 server. It has been used alongside other Cuba/UNC2596 tooling including COLDDRAW, BURNTCIGAR, WEDGECUT, TERMITE, NetSupport RAT, Cobalt Strike BEACON, and WICKER.
Reported intrusion chains place BUGHATCH in post-compromise operations following exploitation of public-facing Microsoft Exchange vulnerabilities, with webshell deployment and additional backdoors used to maintain access. Mandiant reported that UNC2596 deployed BEACON and BUGHATCH using the TERMITE memory-only dropper. Elastic also reported BUGHATCH being launched via PowerShell stagers that downloaded Agent32.bin from external infrastructure, including http://64.235.39[.]82/Agent32.bin and 38.108.119[.]121, and linked this activity to scripts named agsyst82.ps1, komar.ps1, and komar2.ps1. In observed Cuba intrusions, BUGHATCH-related scripts/executables commonly used filenames such as komar or komar<#>, and komar65.dll has also been identified as BUGHATCH.
Elastic assessed Agent32.bin as BUGHATCH and reported a PDB path of F:\Source\Mosquito\Agent\x64\Release\Agent.pdb. Elastic further noted komar2.ps1 attempted process injection into svchost.exe using C:\Windows\Sysnative\svchost.exe. Mandiant and Elastic both tie BUGHATCH to financially motivated Cuba ransomware operations targeting sectors including retailers, manufacturers, and other organizations in North America and Europe; additional reporting in the provided content notes Cuba activity against critical infrastructure in the United States and an IT services company in Latin America.
High-confidence indicators and artifacts directly mentioned in the content include Agent32.bin, komar.ps1, komar2.ps1, agsyst82.ps1, komar65.dll, the common filename pattern komar/komar<#>, the download URL http://64.235.39[.]82/Agent32.bin, infrastructure at 38.108.119[.]121, and the PDB path F:\Source\Mosquito\Agent\x64\Release\Agent.pdb.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
We observed the execution of the ProxyLogon exploit. Previous research has observed this threat group leveraging ProxyLogon and ProxyShell vulnerabilities to gain initial access.
Previous research has observed this threat group leveraging ProxyLogon and ProxyShell vulnerabilities to gain initial access.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
BUGHATCH is the name given to a Cuba Ransomware associated downloader by Mandiant... Based on analysis of the Agent32.bin file, we believe that this is the BUGHATCH malware.
BUGHATCH is the name given to a Cuba Ransomware associated downloader by Mandiant... Based on analysis of the Agent32.bin file, we believe that this is the BUGHATCH malware.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique“We observed the execution of the ProxyLogon exploit… leveraging ProxyLogon and ProxyShell vulnerabilities to gain initial access… exploitation of publicly accessible Exchange servers initiated the compromise.”
Execution
1 technique“BUGHATCH was launched via PowerShell script stagers… komar2.ps1… downloads Agent32.bin…”
Stealth
1 techniqueYARA strings include “ReflectiveLoader”… and the report describes extracting “memory-resident binaries and shellcode” and Cobalt Strike payload markers.
Command and Control
1 technique"actors load tools and malware from web accessible systems"; "loaded by a PowerShell script from a remote URL"; "TERMITE loader at hxxp://45.32.229[.]66/new.dll"
IOCs tracked for this family
9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Downloader malware used by Cuba ransomware group to fetch additional payloads during attacks.
Bughatch is a custom backdoor used by the Cuba ransomware group. It is deployed in process memory, connects to a C2 server, collects system and network information, and can download and execute additional payloads such as Cobalt Strike Beacon or Metasploit modules.
Downloader associated with Cuba Ransomware intrusions; delivered via PowerShell stagers and used to fetch/execute next-stage payloads (e.g., Agent32.bin) and support follow-on activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.