Bisonal
Bisonal is a remote access trojan (RAT)/backdoor associated in reporting with Tonto Team and, in later infrastructure analysis, with overlaps suggesting possible links to Winnti/APT41 activity. It has been used in targeted campaigns against government, military, defense, financial, and related organizations, including victims in Eastern Europe, Russia, South Korea, Japan, and other regions. Delivery has included malicious email attachments, including Windows executables disguised as PDF documents with decoy files, and at least one intrusion chain abusing CVE-2018-20250 via a WinRAR ACE archive to place a malicious Word add-in.
Observed capabilities include command execution, file upload/download, drive, process, service, and host information collection, use of ipconfig for network discovery, support for proxy servers, and retrieval of proxy settings from the Registry via RegQueryValueExA. It can check system time and determine whether the host is running on VMware. Bisonal has used HTTP-based C2, including HTTP POST over port 443 to DDNS domains, raw sockets in some variants, and exfiltration over the existing C2 channel by appending stolen data to URLs. Traffic and data have been encoded with Base64 and ASCII; newer variants described in reporting used RC4 to protect C2 strings and communications, while older public reporting referenced XOR. Campaign tracking codes embedded in C2 traffic were also observed.
Persistence and execution behaviors include use of Registry Run keys and rundll32.exe. One reported persistence example is HKCU\Software\Microsoft\Windows\CurrentVersion\Run"vert" = "rundll32.exe c:\windows\temp\pvcu.dll , Qszdez". Variants have been disguised as legitimate files such as msacm32.dll and earlier as winhelp, and droppers may create and later delete VBS scripts and remove their own dropper artifacts from disk.
Reported infrastructure and campaign overlaps tie Bisonal to Dynamic DNS domains and to ShadowPad/xDll-related infrastructure observed between 2015 and 2020. Public reporting also notes related tooling and successor families such as Bioazih and Dexbia, though those relationships were described as still under investigation.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Among our finds on the server were utilities for lateral movement... The server had the following utilities: Utilities to check for and exploit vulnerability MS17-010... The hackers tweaked the functionality of the MS17-010 utility by adding the ability to check an entire subnet.
May 2018: a new wave of targeted attacks abusing CVE-2018-8174 (this exploit has been associated with the DarkHotel APT group, as described on Securelist), with diplomatic, defense, manufacturing, military and government targets in Asia and Eastern Europe;
In 2019, the actor behind Bisonal used a new way to deploy the machine on the target's systems. They sent a malicious RTF document to the targets with an exploit targeting the CVE-2018-0798 (Microsoft's Equation Editor vulnerability). The purpose of the shellcode was not to execute the malware (as it is usual) but simply to drop it in the %APPDATA%\microsoft\word\startup\ repository with the .wll extension.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
On one of the IP addresses on ShadowPad infrastructure, we found domains used in Bisonal RAT attacks in 2015–2020.
On one of the IP addresses on ShadowPad infrastructure, we found domains used in Bisonal RAT attacks in 2015–2020.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThe content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.
Execution
5 techniquesDuring the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
Examples include: "Sandworm Team leveraged Microsoft Office attachments which contained malicious macros..."; "Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs"; "Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files."
"Bisonal has used the Windows API to communicate with the Service Control Manager to execute a thread"; "Winnti for Windows can use Native API to create a new process and to start services"
Persistence
2 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
1 techniqueThe content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
9 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Akira has used legitimate names and locations for files to evade defenses.
Bisonal has deleted Registry keys to clean up its prior activity. FIN8 has deleted Registry keys during post compromise cleanup activities. SUNBURST also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
Repeated examples across many families: e.g., “APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.”; “Action RAT can use Base64 to decode actor-controlled C2 server communications.”; “Smoke Loader deobfuscates its code.”
Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.
Defense Impairment
1 techniqueDiscovery
6 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
"...has a command to retrieve metadata for files on disk as well as a command to list the current working directory." / "...can list files and directories." / "...used the following commands... to obtain information about files and directories: dir c:\ >> %temp%\download ..."
Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.
Collection
1 techniqueThe content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
Command and Control
4 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
"APT41 used a tool called CLASSFON to covertly proxy network communications." / "BADCALL functions as a proxy server between the victim and C2 server." / "Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic..."
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
77 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
63 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Bisonal is a remote access trojan (RAT) and backdoor primarily used by Chinese state-sponsored threat actors. It provides attackers with persistent access, file searching and exfiltration capabilities, anti-analysis features, and unrestricted system control. It is typically delivered via malicious Office documents exploiting known vulnerabilities.
Software changes: ... Bisonal
Remote access trojan observed sharing infrastructure with ShadowPad and delivered via xDII in attacks (notably against Japanese targets per cited research).
A remote access trojan observed on infrastructure overlapping with ShadowPad and used together with xDII in attacks against Japanese targets. The report discusses likely ties between Bisonal activity and Winnti.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.