{ "id": "945f8115-b78a-4a9c-8c46-27f68a1e3eb8", "created_at": "2026-04-06T00:18:13.246653Z", "updated_at": "2026-04-10T03:36:14.039045Z", "deleted_at": null, "sha1_hash": "b63eb34fb666ea8a956f93df585f7871596b581d", "title": "REDBALDKNIGHT’s Daserf Backdoor Now Uses Steganography", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 86202, "plain_text": "REDBALDKNIGHT’s Daserf Backdoor Now Uses Steganography\r\nBy By: Joey Chen, MingYen Hsieh Nov 07, 2017 Read time: 5 min (1250 words)\r\nPublished: 2017-11-07 · Archived: 2026-04-02 10:52:57 UTC\r\nAdditional analysis and insights by Higashi Yuka and Chizuru Toyama\r\nREDBALDKNIGHT, also known as BRONZE BUTLERopen on a new tab and Tick, is a cyberespionage group\r\nknown to target Japanese organizations such as government agencies (including defense) as well as those in\r\nbiotechnology, electronics manufacturing, and industrial chemistry. Their campaigns employ the Daserf backdoor\r\n(detected by Trend Micro as BKDR_DASERF, otherwise known as Muirim and Nioupale) that has four main\r\ncapabilities: execute shell commands, download and upload data, take screenshots, and log keystrokes.\r\nOur recent telemetry, however, indicates that variants of Daserf were not only used to spy on and steal from\r\nJapanese and South Korean targets, but also against Russian, Singaporean, and Chinese enterprises. We also found\r\nvarious versions of Daserf that employ different techniques and use steganography—embedding codes in\r\nunexpected mediums or locations (i.e., images)—to conceal themselves better.\r\nLike many cyberespionage campaigns, REDBALDKNIGHT’s attacks are intermittent but drawn-out. In fact,\r\nREDBALDKNIGHT has been zeroing in on Japanese organizations as early as 2008—at least based on the file\r\nproperties of the decoy documents they’ve been sending to their targets. The specificity of their targets stems from\r\nthe social engineering tactics used. The decoy documents they use in their attack chain are written in fluent\r\nJapanese, and particularly, created via the Japanese word processor Ichitaro. One of the decoy documents, for\r\ninstance, was about the “plan of disaster prevention in heisei 20” (Heisei is the current/modern era in Japan).\r\nintel\r\nFigure 1: File properties of one of the decoy documents that REDBALDKNIGHT sends to Japanese targets\r\nintel\r\nFigures 2: Sample of decoy documents used by REDBALDKNIGHT, employing socially engineered titles in their\r\nspear phishing emails such as “disaster prevention”\r\nAttack ChainREDBALDKNIGHT’s attacks typically use spear phishing emails as an entry point. Their\r\nattachments exploit a vulnerability in Ichitaro, as shown above. These are decoy documents, often used by\r\ncyberespionage groups as a distraction while they execute their malware behind the scenes using lures such as\r\n“CPR” and “disaster prevention.”\r\nDaserf will be installed and launched on the affected machine once the victim opens the document. Daserf wasn’t\r\nwell-known until security researchers publicly disclosednews article it last year, and whose beginnings they’ve\r\ntraced as far back as 2011. Based on the hardcoded version number they divulged (Version:1.15.11.26TB Mini),\r\nwe were able to source other versions of the backdoor (listed in the appendix).\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/\r\nPage 1 of 3\n\nFine-tuning DaserfOur analyses revealed Daserf regularly undergo technical improvements to keep itself under\r\nthe radar against traditional anti-virus (AV) detection. For instance, Daserf versions 1.50Z, 1.50F, 1.50D, 1.50C,\r\n1.50A, 1.40D, and 1.40C use encrypted Windows application programming interfaces (APIs). Version v1.40 Mini\r\nuses the MPRESS packer, which provides some degree of protection against AV detection and reverse\r\nengineering. Daserf 1.72 and later versions use the alternative base64+RC4 to encrypt the feedback data, while\r\nothers use different encryption such as 1.50Z, which uses the Ceasar cipher (which substitutes letters in plaintext\r\nwith another that corresponds to a number of letters, either upwards or downwards).\r\nMore notably, REDBALDKNIGHT integrated steganography to conduct second-stage, command-and-control\r\n(C\u0026C) communication and retrieve a second-stage backdoor. This technique has been observed in Daserf v1.72\r\nMini and later versions. Daserf’s use of steganography not only enables the backdoor to bypass firewalls (i.e., web\r\napplication firewalls); the technique also allows the attackers to change second-stage C\u0026C communication or\r\nbackdoor faster and more conveniently.\r\nHow REDBALDKNIGHT Employs SteganographyDaserf’s infection chain accordingly evolved, as shown\r\nbelow. It has several methods for infecting its targets of interest: spear phishing emails, watering hole attacks, and\r\nexploiting a remote code execution vulnerability (CVE-2016-7836open on a new tab, patched last March 2017) in\r\nSKYSEA Client View, an IT asset management software widely used in Japan.\r\nintelFigure 3: Daserf’s latest execution and infection flow\r\nA downloader will be installed on ther victim’s machine and retrieve Daserf from a compromised site. Daserf will\r\nthen connect to another compromised site and download an image file (i.e., .JPG, .GIF). The image is embedded\r\nin either the encrypted backdoor configurations or hacking tool. After their decryption, Daserf will connect to its\r\nC\u0026C and await further commands. Daserf 1.72 and later versions incorporate steganographic techniques.\r\nREDBALDKNIGHT’s use of steganography isn’t limited to Daserf. We also found two of their toolkits\r\nemploying the same technique—xxmm2_builder, and xxmm2_steganography. Based on their pdb strings, they’re\r\nboth components of another REDBALDKNIGHT-related threat, XXMM (TROJ_KVNDM), a downloader Trojan\r\nthat can also act as a first-stage backdoor with its capability to open a shell. While xxmm2_builder allows\r\nREDBALDKNIGHT to customize the settings of XXMM, xxmm2_ steganography is used to hide malicious code\r\nwithin an image file.\r\nREDBALDKNIGHT’s tool can create, embed, and hide executables or configuration files within the image file\r\nwith its tag and encrypted strings via steganography. An encrypted string can be an executable file or a URL. A\r\nthreat actor will use/upload an existing image that the builder then injects with steganographic code. Additionally,\r\nwe also found that the steganography algorithm (alternative base64 + RC4) between XXMM and Daserf were the\r\nsame.\r\nintelFigure 4: Code snippets showing Daserf’s decode function, which is the same as XXMM’s\r\nintelFigure 5: Steganography toolkit used by REDBALDKNIGHT for XXMM\r\nintelFigure 6: Snapshots of Daserf’s steganographic code generated by their toolkit\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/\r\nPage 2 of 3\n\nMitigationSteganography is a particularly useful technique in purposeful cyberattacks: the longer their malicious\r\nactivities stay undetected, the more they can steal and exfiltrate data. And indeed, the routine is increasingly\r\ngaining cybercriminal traction, in varying degrees of proficiency—from exploit kitsopen on a new tab,\r\nmalvertising campaignsopen on a new tab, banking Trojansopen on a new tab, and C\u0026C communicationopen on a\r\nnew tab to even ransomwareopen on a new tab. In the case of REDBALDKNIGHT’s campaigns, the use of\r\nsteganography is further compounded by their use of malware that can better evade detection and analysis.\r\nREDBALDKNIGHT’s continuous campaigns—along with their diversity and scope—highlight the importance of\r\ndefense in depthnews article. Organizations can mitigate these threats by enforcing the principle of least privilege\r\nto reduce their opportunities for lateral movement significantly. Network segmentationnews article and data\r\ncategorizationnews article help in this regard. Mechanisms like access control and blacklisting as well as intrusion\r\ndetection and prevention systemsproducts help further secure the network while whitelisting (e.g., application\r\ncontrol) and behavior monitoring help detect and block anomalous activities from suspicious or unknown files.\r\nSafeguard the email gatewaynews- cybercrime-and-digital-threats to defend against REDBALDKNIGHT’s spear\r\nphishing methods. Disable unnecessary and outdated components or plug-ins, and ensure that the system\r\nadministration toolsnews- cybercrime-and-digital-threats are used securely, as they can be misused by threat\r\nactors. And more crucially, keep the infrastructure and its applications up-to-date to reduce attack surface—from\r\nthe gateways and networks to endpoints, and servers.\r\nTrend Micro SolutionsTrend Micro™ Deep Discoveryproducts™ provides detection, in-depth analysis, and\r\nproactive response to today’s stealthy malware and targeted attacks in real-time. It provides a comprehensive\r\ndefense tailored to protect organizations against targeted attacks and advanced threats through specialized engines,\r\ncustom sandboxingopen on a new tab, and seamless correlation across the entire attack lifecycle, allowing it to\r\ndetect threats like REDBALDKNIGHT’s attacks even without any engine or pattern update. Trend Micro™ Deep\r\nSecurityproducts™ and Vulnerability Protection provide virtual patching that protects endpoints from threats that\r\nabuses unpatched vulnerabilities. OfficeScan’s Vulnerability Protection shield endpoints from identified and\r\nunknown vulnerability exploits even before patches are deployed.\r\nTrend Micro’s suite of security solutions is powered by XGen™ securityproducts, which features high-fidelity\r\nmachine learning to secure the gateway and endpoint data and applications. XGen™ protects against today’s\r\npurpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and\r\neither steal or encrypt personally-identifiable data.\r\nA list of the Indicators of Compromise (hashes, C\u0026Cs) related to this research is in this appendixopen on a new\r\ntab. \r\nSource: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" ], "report_names": [ "redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography" ], "threat_actors": [ { "id": "bbefc37d-475c-4d4d-b80b-7a55f896de82", "created_at": "2022-10-25T15:50:23.571783Z", "updated_at": "2026-04-10T02:00:05.302196Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "BRONZE BUTLER", "REDBALDKNIGHT" ], "source_name": "MITRE:BRONZE BUTLER", "tools": [ "Mimikatz", "build_downer", "cmd", "ABK", "at", "BBK", "schtasks", "down_new", "Daserf", "ShadowPad", "Windows Credential Editor", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434693, "ts_updated_at": 1775792174, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b63eb34fb666ea8a956f93df585f7871596b581d.pdf", "text": "https://archive.orkl.eu/b63eb34fb666ea8a956f93df585f7871596b581d.txt", "img": "https://archive.orkl.eu/b63eb34fb666ea8a956f93df585f7871596b581d.jpg" } }