Bisonal
Bisonal is a remote access trojan (RAT)/backdoor used in cyber espionage operations and described as part of the Tonto Team/CactusPete arsenal, though some reporting also links related infrastructure and activity to other Chinese state-sponsored actors, including possible overlap with Winnti/APT41. It is strongly associated in the provided reporting with Chinese threat activity. Delivery has commonly relied on spearphishing and malicious email attachments, including Office documents built with Royal Road and documents exploiting CVE-2018-0798; other campaigns used Windows executables disguised as PDF files with decoy documents. Reported targeting includes government, military, defense, financial, telecommunications, critical infrastructure, and private-sector organizations, with victims or targeting noted in Russia, Eastern Europe, Pakistan, South Korea, Japan, and elsewhere.
Capabilities directly described in the content include unrestricted remote control, file searching, file upload/download, command execution, process and service information gathering, host information collection, exfiltration over the C2 channel, anti-analysis, and proxy-aware communications. Bisonal can execute ipconfig on victim machines, query proxy settings from the Registry via RegQueryValueExA, support use of a proxy server, use raw sockets for network communication, and check whether the compromised system is running on VMware. It has encoded binary data with Base64 and ASCII, and one reported variant encrypted C2 traffic and strings with RC4. Exfiltrated data has been appended to URLs over the C2 channel.
Persistence and execution behaviors in the content include modification for use as a Windows service, use of rundll32.exe via a Run key, and creation of VBS scripts on victim machines; one report notes the malware deletes its dropper and VBS scripts after installation. Masquerading behavior includes renaming malicious code to msacm32.dll to hide within a legitimate library, with earlier versions disguised as winhelp. Specific indicators mentioned in the content include the Run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run"vert" = "rundll32.exe c:\windows\temp\pvcu.dll , Qszdez"; dropped DLL path C:\Windows\Temp\pvcu.dll; campaign-related SHA1 samples f599ed4ecb6c61ef2f2692d1a083e3bb040f95e6, 415ce2db3957294d73fa832ed844940735120bae, 91ca78231bcacab0d5e6194041817b96252e65bf, f444ff2386cd3ada204c3224463f4be310e5554a, and 85fac143c52e26c22562b0aaa80ffe649640bd29; and C2/infrastructure including instructor.giize[.]com (198.13.56[.]122), news.wooordhunts[.]com, supportteam.lingrevelat[.]com, upportteam.lingrevelat[.]com, kted56erhg.dynssl[.]com, euiro8966.organiccrap[.]com, 137.220.176[.]165, and 116.193.155[.]38.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The example documents shown above both exploit CVE-2018-0798, a remote execution vulnerability in Microsoft Office to install the embedded malware. | The attacks use phishing emails to deliver Office documents to exploit targets in order to deliver their RAT of choice, most commonly Bisonal.
Among our finds on the server were utilities for lateral movement... The server had the following utilities: Utilities to check for and exploit vulnerability MS17-010... The hackers tweaked the functionality of the MS17-010 utility by adding the ability to check an entire subnet.
May 2018: a new wave of targeted attacks abusing CVE-2018-8174 (this exploit has been associated with the DarkHotel APT group, as described on Securelist), with diplomatic, defense, manufacturing, military and government targets in Asia and Eastern Europe;
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The attacks use phishing emails to deliver Office documents to exploit targets in order to deliver their RAT of choice, most commonly Bisonal.
On one of the IP addresses on ShadowPad infrastructure, we found domains used in Bisonal RAT attacks in 2015–2020.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
The attacks use phishing emails to deliver Office documents to exploit targets in order to deliver their RAT of choice, most commonly Bisonal.
admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails... APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts... Dragonfly has used various forms of spearphishing in attempts to get users to open malicious attachments.
Execution
5 techniques
Execution
CERT-UA assessed that the documents... were likely built with the Royal Road builder and dropped the Bisonal backdoor.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
The example documents shown above both exploit CVE-2018-0798, a remote execution vulnerability in Microsoft Office to install the embedded malware.
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.
Persistence
3 techniques
Persistence
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
2 techniques
Privilege Escalation
During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
8 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Akira has used legitimate names and locations for files to evade defenses.
Bisonal has deleted Registry keys to clean up its prior activity. FIN8 has deleted Registry keys during post compromise cleanup activities. SUNBURST also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.
Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.
Defense Impairment
1 technique
Defense Impairment
Discovery
6 techniques
Discovery
The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.
Collection
1 technique
Collection
Command and Control
3 techniques
Command and Control
This email contains the Royal Road attachment “Please help to Check.doc” ... and beaconing outbound to instructor.giize[.]com (198.13.56[.]122).
IOCs tracked for this family
94 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
66 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor RAT associated with Chinese threat actors, used as the payload delivered via malicious Office documents. It provides long-term remote access and has evolved with capabilities for file searching and exfiltration, anti-analysis and detection evasion, and generally unrestricted system control.
Bisonal is a remote access trojan (RAT) and backdoor primarily used by Chinese state-sponsored threat actors. It provides attackers with persistent access, file searching and exfiltration capabilities, anti-analysis features, and unrestricted system control. It is typically delivered via malicious Office documents exploiting known vulnerabilities.
Software changes: ... Bisonal
Remote access trojan observed sharing infrastructure with ShadowPad and delivered via xDII in attacks (notably against Japanese targets per cited research).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.