The sub-techniques beta is now live! Read the release blog post for more info.


BISCUIT is a backdoor that has been used by APT1 since as early as 2007. [1]

ID: S0017
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 January 2019

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

BISCUIT has a command to launch a command shell on the system.[2]

Enterprise T1094 Custom Command and Control Protocol

BISCUIT communicates to the C2 server using a custom protocol.[2]

Enterprise T1008 Fallback Channels

BISCUIT malware contains a secondary fallback command and control server that is contacted after the primary command and control server.[1][2]

Enterprise T1056 Input Capture

BISCUIT can capture keystrokes.[2]

Enterprise T1057 Process Discovery

BISCUIT has a command to enumerate running processes and identify their owners.[2]

Enterprise T1105 Remote File Copy

BISCUIT has a command to download a file from the C2 server.[2]

Enterprise T1113 Screen Capture

BISCUIT has a command to periodically take screenshots of the system.[2]

Enterprise T1032 Standard Cryptographic Protocol

BISCUIT uses SSL for encrypting C2 communications.[2]

Enterprise T1082 System Information Discovery

BISCUIT has a command to collect the processor type, operation system, computer name, uptime, and whether the system is a laptop or PC.[2]

Enterprise T1033 System Owner/User Discovery

BISCUIT has a command to gather the username from the system.[2]

Groups That Use This Software

ID Name References
G0006 APT1 [1]