{ "id": "659b5687-a56e-4473-b76c-b37eb2d8abd9", "created_at": "2026-04-06T01:32:21.324265Z", "updated_at": "2026-04-10T03:33:22.320776Z", "deleted_at": null, "sha1_hash": "04333e730fc1dc9814aea65ea603cadfa590a3d5", "title": "SCYTHE Library: #ThreatThursday - Buhtrap", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1660716, "plain_text": "SCYTHE Library: #ThreatThursday - Buhtrap\r\nBy Jorge Orchilles\r\nPublished: 2020-06-11 · Archived: 2026-04-06 00:14:37 UTC\r\nIn this #ThreatThursday we will be looking at Buhtrap, a criminal team attacking financial institutions. We are\r\npresenting new concepts this week such as consuming Cyber Threat Intelligence that has not been mapped or\r\ntracked on MITRE ATT\u0026CK website and explaining the concept of Short and Long Haul C2.\r\nNo MITRE ATT\u0026CK Page for Adversary?\r\nIf you read our first #ThreatThursday on APT19, you learned to use the MITRE ATT\u0026CK site and ATT\u0026CK\r\nNavigator to extract the adversary tactics, techniques, and procedures (TTPs) to create an adversary emulation\r\nplan. Searching for this week’s threat actor, Buhtrap, will not yield any results. We will have to dig deeper for\r\nCyber Threat Intelligence and extract the TTPs manually.\r\nAcquire Cyber Threat Intelligence\r\nGoogle search is a great way to start learning about this threat actor. We found a number of sources:\r\nhttps://www.group-ib.com/brochures/gib-buhtrap-report.pdf\r\nhttps://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nhttps://www.scythe.io/library/threatthursday-buhtrap\r\nPage 1 of 5\n\nBuhtrap Threat Profile\r\nReading through the sources above (feel free to read other sources) we can extract the TTPs and create a Threat\r\nProfile for Buhtrap:\r\nTactic Description\r\nDescription\r\nBuhtrap group is a criminal team evolved from attacks against bank clients to attacks\r\ndirectly targeting financial institutions. At the moment, the group is known to target\r\nRussian and Ukrainian banks\r\nObjective Financial gain with over 1.8 billion rubles\r\nCommand and\r\nControl\r\nCommonly Used Port (T1043) - TCP 443\r\nStandard Application Layer Protocol (T1071) - HTTPS \r\nCustom Command and Control Protocol (T1094) - DNS Tunnelling\r\nInitial Access Spearphishing Link (T1192)\r\nExecution\r\nUser Execution (T1204)\r\nCommand-Line Interface (T1059)\r\nDefense\r\nEvasion\r\nCode Signing (T1116)\r\nDeobfuscate/Decode Files or Information (T1140)\r\nDiscovery\r\nFile and Directory Discovery (T1083)\r\nNetwork Share Discovery (T1135)\r\nPersistence Scheduled Task (T1053)\r\nhttps://www.scythe.io/library/threatthursday-buhtrap\r\nPage 2 of 5\n\nCredential\r\nAccess\r\nInput Capture (T1056)\r\nClipboard Data (T1115)\r\nExfiltration \r\nAutomated Exfiltration (T1020)\r\nData Encrypted (T1022)\r\nExfiltration Over Command and Control Channel (T1041)\r\nRemote File Copy (T1105)\r\nTable 1\r\nCommand and Control\r\nYou will notice Buhtrap leverages multiple Command and Control (C2) channels. This is common for threat\r\nactors and Red Teams performing adversary emulation. We can divide C2 channels in short and long haul. Short\r\nhaul is for performing actions and receiving results quickly. For example, HTTP beacons at a short interval\r\n(seconds) so that interaction is efficient. Long-haul C2 is for maintaining access so operations can be stealthier\r\nand maintain persistence; it should be slow and fly under the radar.\r\nShort Haul C2\r\nShort Haul C2 channels are used for quicker interaction with the target systems and performing MITRE ATT\u0026CK\r\ntactics like Discover, Privilege Escalation, and Exfiltration. Since short haul C2 is used for a number of TTPs, the\r\nrisk of getting caught is much higher and the C2 channel may be lost or blocked (burned). Common short haul C2\r\nchannels are direct TCP connections, HTTP, HTTPS, HTTP2, HTTP3, and SMB. \r\nLong Haul C2\r\nLong Haul C2 channels are much slower and should be used to recuperate short haul C2s that may have been\r\ncaught or blocked by the blue team. For example, your short haul uses HTTPS to unicorn.scythedemo.com and it\r\ngets blocked by the SOC. Your DNS, long haul C2, that goes to another IP or domain does not get blocked. You\r\nwould use the DNS C2 to launch a new agent connecting to a non-blocked HTTPS domain. Long haul channels\r\nshould be configured to beacon out much less frequently (once a day, once a week). Long-Haul channels should\r\nbe strictly used to regain short haul channels so you do not risk losing all access to the target environment.\r\nCommon long haul channels are DNS, DoH, ICMP, and steganography channels. This does not mean you cannot\r\nor should not use much slower beacons over other channels as long haul either. It all depends on the objectives\r\nand what is being tested.\r\nAdversary Emulation Plan\r\nhttps://www.scythe.io/library/threatthursday-buhtrap\r\nPage 3 of 5\n\nGiven we have to set up two C2 channels, we have created and shared two adversary emulation plans on our\r\nCommunity Threats Github for Buhtrap. This will require two campaigns in SCYTHE and therefore should be\r\nseparated in our plan.\r\nHTTPS\r\nMost of the TTPs performed by Buhtrap will be performed via the short haul C2: Buhtrap-HTTPS This adversary\r\nemulation plans performs the following automatically with SCYTHE:\r\nCommonly Used Port (T1043) - TCP 443\r\nStandard Application Layer Protocol (T1071) - HTTPS \r\nInput Capture (T1056) - starts right away to begin capture\r\nScreen Capture (T1113)\r\nClipboard Data (T1115)\r\nFile and Directory Discovery (T1083)\r\nNetwork Share Discovery (T1135)\r\nSystem Owner/User Discover (T1033)\r\nOnce that is complete, the next steps must be done manually as automating persistence will result in automatically\r\nemulating the TTP over and over:\r\nStart DNS campaign - see DNS section\r\nDeploy payload for long haul C2 over DNS\r\n               - Move .DLL to virtual file system\r\n               - loader --load downloader \r\n               - downloader --src VFS:/users/BUILTIN/scythe/DNS_scythe_client32.dll --dest C:\\Users\\\r\n\u003cuser\u003e\\DNS_scythe_client32.dll\r\nEstablish persistence with Scheduled Task (T1053) and Rundll32 (T1085)\r\n               - schtasks /create /tn DNS /sc ONLOGON /tr \"cmd.exe /k rundll32.exe C:\\Users\\\r\n\u003cuser\u003e\\DNS_scythe_client32.dll,PlatformClientMain\"\r\nDNS\r\nThe adversary emulation plan for the DNS campaign is very basic as we just need connectivity to lay dormant and\r\ncheck in very infrequently: Buhtrap-DNS Once imported it is very important to change the parameters and ensure\r\nthe DNS relay is functioning properly. \r\nEmulating Buhtrap\r\nWith an adversary emulation plan, it is time to set up the campaign and emulate the TTPs.\r\nDefending against Buhtrap\r\nhttps://www.scythe.io/library/threatthursday-buhtrap\r\nPage 4 of 5\n\nBuhtrap uses HTTPS beacons for short haul because the amount of data they collect on target systems. Beacons\r\nare better than long, persistent connections like Metasploit payloads do. An excellent article about detecting long\r\nconnections is available from our friends at Black Hills Information Security. In the APT19 Threat Thursday we\r\ncovered how to identify beacons over HTTPS. This week, lets focus on detecting DNS C2. Our friends at Active\r\nCountermeasures have use covered.\r\nConclusion \r\nIn this week’s #ThreatThursday we learned how to consume cyber threat intelligence, extract TTPs, and build an\r\nadversary emulation plan when the MITRE ATT\u0026CK website does not have the group documented. We also\r\nlearned that Buhtrap uses short haul and long haul C2 over HTTPS and DNS respectively. This is common among\r\nsophisticated threat actors and important to have detective controls around. Hope you enjoyed!\r\nThis Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing\r\nthreat. The information in this post should be considered preliminary and may be updated as research continues.\r\nThis information is provided “as-is” without any warranty or condition of any kind, either express or implied.\r\nAbout SCYTHE\r\nSCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market.\r\nThe SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial\r\ncampaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their\r\nbusiness and employees and the performance of enterprise security teams and existing security solutions. Based in\r\nArlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution\r\nEquity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or\r\nfollow on Twitter @scythe_io.\r\nSource: https://www.scythe.io/library/threatthursday-buhtrap\r\nhttps://www.scythe.io/library/threatthursday-buhtrap\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.scythe.io/library/threatthursday-buhtrap" ], "report_names": [ "threatthursday-buhtrap" ], "threat_actors": [ { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439141, "ts_updated_at": 1775792002, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04333e730fc1dc9814aea65ea603cadfa590a3d5.pdf", "text": "https://archive.orkl.eu/04333e730fc1dc9814aea65ea603cadfa590a3d5.txt", "img": "https://archive.orkl.eu/04333e730fc1dc9814aea65ea603cadfa590a3d5.jpg" } }