The sub-techniques beta is now live! Read the release blog post for more info.


BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[1][2]

ID: S0360
Platforms: Windows
Version: 1.1
Created: 18 February 2019
Last Modified: 11 October 2019

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.[2]

Enterprise T1483 Domain Generation Algorithms

BONDUPDATER uses a DGA to communicate with command and control servers.[1]

Enterprise T1143 Hidden Window

BONDUPDATER uses -windowstyle hidden to conceal a PowerShell window that downloads a payload.[1]

Enterprise T1086 PowerShell

BONDUPDATER is written in PowerShell.[1][2]

Enterprise T1105 Remote File Copy

BONDUPDATER can download or upload files from its C2 server.[2]

Enterprise T1053 Scheduled Task

BONDUPDATER persists using a scheduled task that executes every minute.[2]

Enterprise T1071 Standard Application Layer Protocol

BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.[2]

Groups That Use This Software

ID Name References
G0049 OilRig [1] [2]