{
	"id": "187a5eef-5ddb-425d-93ae-9b852b37195a",
	"created_at": "2026-04-06T00:07:16.714447Z",
	"updated_at": "2026-04-10T13:11:20.458249Z",
	"deleted_at": null,
	"sha1_hash": "94306e3bc8d88a5c291cde811d1f924bda5b537b",
	"title": "Bandook - A Persistent Threat That Keeps Evolving | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 544635,
	"plain_text": "Bandook - A Persistent Threat That Keeps Evolving | FortiGuard\r\nLabs\r\nBy Pei Han Liao\r\nPublished: 2023-12-21 · Archived: 2026-04-02 11:21:54 UTC\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Microsoft Windows\r\nImpact: Remote attackers gain control of the infected systems\r\nSeverity Level: Critical\r\nBandook malware is a remote access trojan that has been continuously developed since it was first detected in\r\n2007. It has been used in various campaigns by different threat actors over the years. FortiGuard Labs identified a\r\nnew Bandook variant being distributed via a PDF file this past October. This PDF file contains a shortened URL\r\nthat downloads a password-protected .7z file. After the victim extracts the malware with the password in the PDF\r\nfile, the malware injects its payload into msinfo32.exe. In this article, we will briefly introduce Bandook’s\r\nbehavior, provide detailed information about the modified elements of this new variant, and share some examples\r\nof the mechanism of its C2 communication.\r\nInjector\r\nThe injector component decrypts the payload in the resource table and injects it into msinfo32.exe.\r\nBefore the injection, a registry key is created to control the behavior of the payload. The key name is the PID of\r\nmsinfo32.exe, and the value contains the control code for the payload. Once executed with any argument,\r\nBandook creates a registry key containing another control code that enables its payload to establish persistence,\r\nand it then injects the payload into a new process of msinfo32.exe. There are two registry keys, shown in Figure 1.\r\nFigure 1: The registry keys written by Bandook.\r\nA variant reported in 2021 required four control codes and created four processes of explorer.exe that it injected in\r\na single execution. This new variant uses less control code and makes a more precise division of tasks.\r\nPayload\r\nhttps://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving\r\nPage 1 of 9\n\nFigure 2: The execution flow of the payload.\r\nFigure 2 is the overview of the payload. Once injected, the payload initializes strings for the key names of\r\nregistries, flags, APIs, etc. After this, it uses the PID of the injected msinfo32.exe to find the registry key and then\r\ndecodes and parses the key value to perform the task specified by the control code. Figure 3 shows the\r\nrelationship between the key value and the payload’s behavior. The control codes play the same role as previous\r\nvariants, but strings are used instead of numbers.\r\nFigure 3: Relationship between key value, command line, and payload.\r\nThe variant we found in October 2023 has two additional control codes, but its injector doesn’t create registries\r\nfor them. One asks the payload to load fcd.dll, which is downloaded by another injected process and calls fcd.dll’s\r\nInit function. The other mechanism establishes persistence and executes Bandook’s copy.\r\nThese unused control codes have been removed from even newer variants\r\n(430b9e91a0936978757eb8c493d06cbd2869f4e332ae00be0b759f2f229ca8ce).\r\nOf the two remaining control codes, “ACG” is the main control code for an attack, while “GUM” establishes the\r\npersistence mechanism.\r\nGUM Control Code\r\nWhen the control code is “GUM,” Bandook drops a copy to the SMC folder in the appdata folder as “SMC.exe”\r\nor “SMC.cpl” and creates a registry key to automatically execute the copy. There are three registry keys to run\r\nSMC.exe.\r\nhttps://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving\r\nPage 2 of 9\n\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\r\nKey name: SMC\r\nValue: %APPDATA%\\SMC\\SMC.exe\r\nSoftware\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\nKey name: shell\r\nValue: explorer.exe, %APPDATA%\\SMC\\SMC.exe\r\nSoftware\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\\r\nKey name: Load\r\nValue: short path of %APPDATA%\\SMC\\SMC.exe\r\nWhen the copy is SMC.cpl, the registry key and value are the following:\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\r\nKey name: SMC\r\nValue: %windir%\\System32\\controll.exe %APPDATA%\\SMC\\SMC.cpl\r\nACG Control Code\r\nWhen the control code is ACG, the payload can download files for other modules, including fcd.dll, pcd.dll, an\r\nexecutable file, and others. This is an optional function based on flags set when the payload initializes. The files\r\ncan also be downloaded from the C2 server when necessary. If fcd.dll is downloaded, Bandook calls its functions\r\nand passes the key names of the registry key as arguments. Similarly, many registry keys store information used in\r\nother actions.\r\nAn action may separated into several parts, and it’s necessary to piece all related commands and registry keys\r\ntogether. For example, C2 communication may use one command to write a registry key and a separate command\r\nto read it.\r\nC2 Communication\r\nFirst, Bandook sends victim information to its C2 server:\r\nFigure 4: Traffic capture and AES decrypted data of the victim information.\r\nIf the C2 server is available, Bandook receives commands from the server, including *DJDSR^, @0001, @0002,\r\nand so on. While the string sequence in the newest variants reaches @0155, some are only used when sending a\r\nhttps://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving\r\nPage 3 of 9\n\nresult to the server, and others only exist in other modules. As shown in Figure 5, the payload doesn’t use the\r\ncommand @0133, though it can be found in fcd.dll.\r\nFigure 5: @0133 can be found in fcd.dll.\r\nDespite the numbering, the payload only supports 139 actions. In addition, some special commands are only sent\r\nto the server under specific conditions. Since most actions are the same as in previous variants, we will focus on\r\ncommunications between Bandook and the C2 server using the new commands added to the most recent variants.\r\nThese actions can be roughly categorized as file manipulation, registry manipulation, download, information\r\nstealing, file execution, invocation of functions in dlls from the C2, controlling the victim’s computer, process\r\nkilling, and uninstalling the malware.\r\nThe data from the C2 server has the following format:\r\n{Command}~!{Arg2}~!{Arg3}~!{Arg4}~!{Arg5}~!{Arg6}~!\r\nThe first argument is the command, which is necessary. Arg2 to Arg6 are optional.\r\nBelow are four examples of actions that require multiple commands and actions that have complex mechanisms.\r\nhttps://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving\r\nPage 4 of 9\n\n@0003, @0004\r\nThis action is about file reading. If Arg3 is R, it keeps calling the Sleep function until the C2 server sends @0004\r\nand its related arguments to Bandook. The @0004 command gives a value to determine from where to read the\r\nfile or to just do nothing.\r\nFinally, Bandook sends the file specified by Arg2 to the C2 server.\r\nFigure 6: Process flow when Bandook receives @0003 from the server.\r\n@0006, @0007\r\nThis action is about file writing. Similar to @0003, @0006 waits for @0007. @0007 determines how to write data\r\nfrom the C2 server to a local file.\r\nFigure 7: Process flow when Bandook receives @0007 from the server.\r\n@0126, @0127, @0128\r\nThis action executes a Python file. The main command is @0128, which calls a ShellExecute function to run a\r\nPython file {Parent directory}\\Lib\\dpx.pyc with arguments Arg2~Arg6. The {Parent directory} is stored in the\r\nregistry key pthma under HKCU\\Software. @0126 checks pthma’s value and sends the result to the server. @0127\r\nwrites its Arg2 to pthma if fcd.dll is initialized in the victim’s computer.\r\nAdditionally, some commands send special data to the server:\r\n@0124\r\nThis action monitors the victim’s screen and controls the computer. When Bandook receives this command, it\r\noverwrites the config file of Firefox pref.js with code hard-coded in the payload and disables protection\r\nmechanisms in Microsoft Edge:\r\nhttps://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving\r\nPage 5 of 9\n\nRegistry Key name Value\r\nSoftware\\Microsoft\\Internet Explorer\r\nTabProcGrowth 0\r\nNoProtectedModeBanner 1\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3 2500 3\r\nAfter this, Bandook creates a virtual desktop and assigns it to a newly created thread (Thread_Control) that\r\nestablishes a new communication with the C2 server. It first sends the string AVE_MARIA, followed by another\r\npacket containing the number 1, to the server.\r\nFigure 8: The “AVE_MARIA” and number sent by Bandook.\r\nIf the server responds, Bandook creates another thread to keep sending screenshots to the server. This thread also\r\nsends two packets: the string AVE_MARIA and the number 0. In the meantime, Thread_Control receives\r\ncoordinates and control codes from the server. These tasks include:\r\nOpen the Run dialog\r\nCopy user data from Chrome to another folder and open another Chrome instance using a new directory\r\nand configurations. It uses the following command to help it run faster: cmd.exe /c start chrome.exe --no-https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving\r\nPage 6 of 9\n\nsandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir={New\r\nfolder}\r\nCopy user data to another folder and open another Firefox instance with the copied profile\r\nExecute Internet Explorer\r\nTerminate Microsoft Edge, enable its Compatibility Mode, and open another Edge instance with a new\r\ndirectory and configurations. It uses the following command to help it run faster:\r\nC:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe --no-sandbox --allow-no-sandbox-job --\r\ndisable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir={New folder}\r\nAccess specified windows\r\nIn addition, there are three new commands compared to the 2021 variant:\r\n@0138\r\nThis writes encrypted backup URLs to the registry key kPYXM under HKCU\\Software\\AkZhAyV0\\. When the\r\ncurrent C2 server is unavailable, Bandook will decrypt it and try to access the URLs. The format of the decrypted\r\ndata will look like this:\r\n{URL}|{URL}|{URL}|\r\nBandook will extract URLs and try these sequentially if the previous URL is unavailable.\r\n@0139\r\nThis command asks Bandook to parse cookies from the browser specified by the C2, including Chrome, Edge, and\r\nFirefox, and save the result as Default.json in a .zip file.\r\n@0140\r\nIn the previous variant, @0140 is missing. This command asks Bandook to establish a persistence mechanism\r\nwith sub_13160400, also called when the control code is GUM, as shown in Figure 9.\r\nhttps://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving\r\nPage 7 of 9\n\nFigure 9: The new variant uses the same function in the control code and command.\r\nConclusion\r\nThis article unveils new details about the C2 mechanism of this long-existing malware and the new features in its\r\nlatest variant. A large number of commands for C2 communication can be found in this malware. However, the\r\ntasks performed by its payload are fewer than the number in the command. This is because multiple commands\r\nare used for a single action, some commands call functions in other modules, and some are only used to respond\r\nto the server. Though the entire system is not observed in this attack, FortiGuard will continue monitoring\r\nmalware variants and provide appropriate protections.\r\nFortinet Protections\r\nThe malware described in this report are detected and blocked by FortiGuard Antivirus as:\r\nPDF/Agent.1F56!tr\r\nW32/Injector.EQDO!tr\r\nW32/Bandok.NAT!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.\r\nThe FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros in the\r\ndocument.\r\nWe also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security\r\nAwareness. This module is designed to help end users learn how to identify and protect themselves from phishing\r\nhttps://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving\r\nPage 8 of 9\n\nattacks.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nIPs\r\n77[.]91[.]100[.]237\r\n45[.]67[.]34[.]219\r\nFiles\r\n8904ce99827280e447cb19cf226f814b24b0b4eec18dd758e7fb93476b7bf8b8\r\nd3e7b5be903eb9a596b9b2b78e5dd28390c6aadb8bdd4ea1ba3d896d99fa0057\r\n3169171e671315e18949b2ff334db83f81a3962b8389253561c813f01974670b\r\ne87c338d926cc32c966fce2e968cf6a20c088dc6aedf0467224725ce36c9a525\r\n2e7998a8df9491dad978dee76c63cb1493945b9cf198d856a395ba0fae5c265a\r\n430b9e91a0936978757eb8c493d06cbd2869f4e332ae00be0b759f2f229ca8ce\r\ncd78f0f4869d986cf129a6c108264a3517dbcf16ecfc7c88ff3654a6c9be2bca\r\nSource: https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving\r\nhttps://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving\r\nPage 9 of 9\n\nFirst, Bandook Figure 4: Traffic sends victim capture information and AES decrypted to its C2 server: data of the victim information.   \nIf the C2 server is available, Bandook receives commands from the server, including *DJDSR^, @0001, @0002,\nand so on. While the string sequence in the newest variants reaches @0155, some are only used when sending a\n   Page 3 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving"
	],
	"report_names": [
		"bandook-persistent-threat-that-keeps-evolving"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434036,
	"ts_updated_at": 1775826680,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/94306e3bc8d88a5c291cde811d1f924bda5b537b.pdf",
		"text": "https://archive.orkl.eu/94306e3bc8d88a5c291cde811d1f924bda5b537b.txt",
		"img": "https://archive.orkl.eu/94306e3bc8d88a5c291cde811d1f924bda5b537b.jpg"
	}
}