SYSCON is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. SYSCON has been delivered by the CARROTBALL and CARROTBAT droppers.[1][2]

ID: S0464
Platforms: Windows
Version: 1.1
Created: 02 June 2020
Last Modified: 21 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .002 Application Layer Protocol: File Transfer Protocols

SYSCON has the ability to use FTP in C2 communications.[1][2]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

SYSCON has the ability to execute commands through cmd on a compromised host.[2]

Enterprise T1057 Process Discovery

SYSCON has the ability to use Tasklist to list running processes.[2]

Enterprise T1082 System Information Discovery

SYSCON has the ability to use Systeminfo to identify system information.[2]

Enterprise T1204 .002 User Execution: Malicious File

SYSCON has been executed by luring victims to open malicious e-mail attachments.[1]


ID Name Description
C0006 Operation Honeybee

Operation Honeybee included the use of an upgraded version of SYSCON.[3]