The Patient Archivist: Bronze Butler

← Home·Gallery·Techniques

Threat Intelligence Tarot

swords · 4

China (PLA-linked)

G0060

★★★★★

risk 4/5

✦ The Patient Archivist ✦

Bronze Butler

REDBALDKNIGHT · Tick · STALKER PANDA

JapanSouth KoreaTaiwanCritical infrastructureAerospaceDefense

Active since ~2008 · Japanese industrial espionage, Defense and technology theft, Long-term persistent access

It does not rush. It selects a Japanese defense subcontractor, deploys a custom RAT, and waits - months, sometimes years - while blueprints, contracts, and technical specifications accumulate in its staging servers. The Patient Archivist reads everything.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1566.001

Spearphishing Attachment

Initial Access

T1059.003

Windows Command Shell

Execution

T1053.005

Scheduled Task

Persistence

T1070.004

File Deletion

Defense Evasion

T1071.001

Web Protocols

Command and Control

Notable Operations

◆Japan aerospace and defense sector campaigns (2012–present)
◆TickDownloader and Daserf RAT deployments
◆Japanese critical infrastructure targeting
◆Decade-long persistent campaigns against same targets

Defenses

▸
Email attachment sandboxing and filtering
CIS Control 9 ↗
▸
Endpoint detection with behavioral analysis for RAT activity
NIST CSF: DE.CM ↗
▸
Network egress monitoring for C2 beaconing patterns
CIS Control 13 ↗
▸
User and entity behavior analytics (UEBA)
NIST CSF: DE.AE ↗

Reversed: Their Weakness

Bronze Butler's long dwell times work against it when discovered - the extensive log history and consistent malware families made retrospective attribution and full scope-of-compromise analysis unusually complete.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Hidden Key Next →The Nomadic Eye

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.