>samit_hota
Back to adversary profiles
G0060HighActive

BRONZE BUTLER (G0060) Threat Profile: Persistent Chinese Cyber Espionage

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Information theft, Intellectual Property Theft
Aliases
REDBALDKNIGHT, Tick
Target Sectors
Government, Biotechnology, Electronics Manufacturing, Industrial Chemistry, Critical Infrastructure, Heavy Industry, Manufacturing, International Relations, Defense, High-Tech, IT
Associated Malware
Daserf, Datper, xxmm, 9002 RAT, Invader, Gofarer, HomamDownloader, Lilith RAT, ShadowPy, Gokcpdoor, OAED Loader, Havoc C2, Mimikatz, PsExec, WCE, Gh0st RAT
#threat-actor#g0060

Overview

BRONZE BUTLER, identified by MITRE ATT&CK as G0060, is a sophisticated and persistent cyber espionage group believed to originate from China. Also known by aliases such as REDBALDKNIGHT and Tick, this group has been active since at least 2008, with some reporting suggesting operations dating back to 2006. Their primary objective is cyber espionage and the exfiltration of intellectual property and other confidential data. This includes sensitive political, diplomatic, military, and industrial information, often focused on national strategic planning, defense research and development, and industrial capabilities within East Asia. Analysis indicates BRONZE BUTLER may be tasked by multiple teams or organizations, given the diversity of their targeting.

While primarily targeting Japanese organizations, BRONZE BUTLER’s operational scope extends to South Korea, Taiwan, and Russia. Their targets within these regions span critical sectors including government, biotechnology, electronics manufacturing, industrial chemistry, critical infrastructure, heavy industry, manufacturing, and international relations. A notable characteristic of BRONZE BUTLER is their strategic focus on compromising Japanese-developed software, often exploiting region-specific vulnerabilities to gain covert access. This approach has allowed them to maintain long-term, stealthy access to high-value networks for prolonged periods, sometimes remaining undetected for over five years.

Tactics & Techniques

BRONZE BUTLER employs a diverse array of tactics, techniques, and procedures (TTPs) designed for persistent and covert operations. Initial access frequently involves spearphishing emails, often with malicious Flash animation attachments, or strategic web compromises (watering hole attacks) that leverage Flash exploits. They also exploit unpatched systems, including internet-facing servers, and have been observed using malicious Microsoft Word attachments. A key tactic is exploiting zero-day vulnerabilities in Japanese-specific software, such as SKYSEA Client View and Motex Lanscope Endpoint Manager, as well as broader vulnerabilities in Microsoft Exchange Server and Office products.

Once a foothold is established, BRONZE BUTLER focuses on persistence, often achieved through registry manipulation, scheduled tasks (at or schtask commands), and establishing malicious service entries. For defense evasion, they employ sophisticated techniques like inflating file sizes with null characters to bypass antivirus detection and deleting forensic evidence of their activities. Their custom malware often utilizes strong encryption (RC4, AES) for command and control (C2) communications and has incorporated steganography to conceal malicious payloads within image files. They also use DLL sideloading and inject malicious code into legitimate processes.

Lateral movement typically involves network commands like net use and copy to transfer malware, along with scheduling tasks for execution on compromised systems. They leverage credential dumping tools such as Mimikatz, gsecdump, and Windows Credential Editor (WCE) for privilege escalation. For reconnaissance, they enumerate processes, installed software, system services, network configurations, and account information using standard Windows commands and custom tools. Data exfiltration often involves compressing stolen files into password-protected RAR archives and uploading them to C2 servers. More recently, they’ve shown a preference for cloud-based data exfiltration via browser uploads to public storage and peer-to-peer platforms like file.io and potentially LimeWire. A notable operational security measure is their use of distinct attack infrastructures for different targets, minimizing attribution risks. Furthermore, their ability to craft fluent Japanese in phishing emails and decoy documents (e.g., using Ichitaro word processors) suggests strong language proficiency and cultural understanding.

Notable Campaigns

BRONZE BUTLER has a long history of impactful campaigns. A significant incident in 2016 involved exploiting CVE-2016-7836, a then-unpatched remote code execution vulnerability in SKYSEA Client View, a popular Japanese IT asset management software. This zero-day exploitation allowed them to compromise numerous Japanese organizations, maintaining covert access for extended periods.

In early 2019, BRONZE BUTLER engaged in “Operation ENDTRADE,” focusing on specific Japanese industries to steal proprietary and classified data. Around the same time, they compromised a Japanese economic research company and a public relations agency to steal email credentials and files, subsequently using these for spearphishing campaigns.

More recently, in 2023, the group was observed exploiting the ProxyLogon vulnerability (CVE-2021-27065, CVE-2021-26855, CVE-2021-26858, CVE-2021-26857) in Microsoft Exchange Server to compromise a South Korean IT company. Most notably, in mid-2025, BRONZE BUTLER launched a sophisticated campaign exploiting CVE-2025-61932, a critical zero-day vulnerability in Motex Lanscope Endpoint Manager (CVSS 9.3-9.8). This vulnerability allowed unauthenticated remote code execution with SYSTEM-level privileges. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61932 to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting the severity and active exploitation of this flaw.

Associated Malware & Tools

BRONZE BUTLER possesses a robust and evolving toolset, comprising both custom-developed malware and commonly available open-source utilities.

Key custom malware families include:

  • Daserf (aka Muirim, Nioupale): A versatile backdoor capable of executing shell commands, downloading/uploading data, taking screenshots, and logging keystrokes. Later versions incorporate steganography.
  • Datper: A Delphi-coded Remote Access Trojan (RAT) that likely replaced Daserf, using RC4-encrypted HTTP traffic for C2.
  • xxmm (aka Minzen, Wali, ShadowWali, TROJ_KVNDM): Another RAT, and likely successor to Daserf, which AES-encrypts HTTP communications. Builders for xxmm suggest customizability based on target.
  • Gokcpdoor: A primary backdoor observed in recent 2025 campaigns, known for using the KCP protocol for proxy connections and adopting multiplexed C2 communications.
  • OAED Loader: Used to inject payloads like Gokcpdoor or Havoc into legitimate executables, complicating detection.
  • ShadowPy: A previously undocumented downloader uncovered during a 2023 campaign targeting a DLP software developer.
  • Gofarer: A downloader used in watering hole attacks to collect system information and install Daserf.
  • Other custom tools include 9002 RAT, Invader (aka Kickesgo), HomamDownloader, Lilith RAT, Elirks, ReVBShell, Ghostdown, Netboy, SymonLoader, 8.t Dropper, and Bisonal.

In addition to their custom arsenal, BRONZE BUTLER leverages various open-source and legitimate tools:

  • Credential Dumpers: Mimikatz, gsecdump, and Windows Credential Editor (WCE).
  • Remote Access: PsExec, Gh0st RAT.
  • C2 Frameworks: In some instances, they have deployed the Havoc C2 framework instead of Gokcpdoor.
  • Utilities: cmd, Net, VBS, at, whoami, schtasks, ping, DGet (similar to wget), 7-Zip (for compression), and remote desktop protocols.

Current Status

BRONZE BUTLER remains an active and formidable cyber espionage threat. The group consistently demonstrates advanced capabilities, particularly in identifying and exploiting zero-day vulnerabilities in highly specific, regional software. Their most recent activities, including the mid-2025 exploitation of a critical zero-day in Motex Lanscope Endpoint Manager, confirm their ongoing operations and commitment to targeting Japanese strategic industries.

Their continued evolution of malware, use of sophisticated evasion techniques, and persistent focus on long-term intelligence gathering underscore their strategic importance to their sponsors. Organizations in Japan and other targeted East Asian countries, especially those involved in critical infrastructure, defense, high-tech, and manufacturing, should remain vigilant against BRONZE BUTLER’s adaptive and persistent threat. The group’s ability to develop and deploy proprietary tools, coupled with their sustained presence in compromised networks over many years, indicates a well-resourced and disciplined adversary.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call