BRONZE VINEWOOD

BRONZE VINEWOOD has targeted legal, consulting, and software development organizations. CTU research also suggests that organizations that operate in government or defense supply chains, or that provide services to those organizations, are at increased risk from targeted threat groups like BRONZE VINEWOOD.

The group has used a range of tools for initial access, persistence, and lateral movement, including SQL injection, Trochilus RAT, HanaRat, and other malware. Stolen data has been compressed as RAR files and staged in Temp directories on compromised servers prior to exfiltration. The group uses a variety of command and control servers to make it harder to link BRONZE VINEWOOD intrusions. The group has also used public sites such as GitHub and Dropbox for command and control.