Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 22:24:04 UTC
Home > List all groups > List all tools > List all groups using tool RCSession
 Tool: RCSession
Names RCSession
Category Malware
Type Backdoor
Description
(SecureWorks) This basic RAT is installed via DLL side-loading, and CTU researchers
observed BRONZE PRESIDENT installing it on multiple hosts during intrusions.
RCSession was extracted from a file called English.rtf and launched via a hollowed
svchost.exe process. RCSession connects to its C2 server via a custom protocol, can
remotely execute commands, and can launch additional tools. CTU researchers have no
evidence of other threat actors using RCSession or of wide proliferation of the tool,
suggesting it may be exclusively used by BRONZE PRESIDENT.
Information MITRE ATT&CK Last change to this tool card: 30 December 2022
Download this tool card in JSON format
All groups using tool RCSession
Changed Name Country Observed
APT groups
 Mustang Panda, Bronze President 2012-Jun 2025
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=07e50a75-39c7-4cab-b156-8f3fb1d13732
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=07e50a75-39c7-4cab-b156-8f3fb1d13732
Page 1 of 1