1. Home
  2. Software
  3. CARROTBALL

CARROTBALL

CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has been used as a downloader to install SYSCON.[1]

ID: S0465
Type: TOOL
Platforms: Windows
Version: 1.0
Created: 02 June 2020
Last Modified: 25 April 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .002 Application Layer Protocol: File Transfer Protocols

CARROTBALL has the ability to use FTP in C2 communications.[1]
Enterprise T1105 Ingress Tool Transfer

CARROTBALL has the ability to download and install a remote payload.[1]
Enterprise T1027 Obfuscated Files or Information

CARROTBALL has used a custom base64 alphabet to decode files.[1]
Enterprise T1204 .002 User Execution: Malicious File

CARROTBALL has been executed through users being lured into opening malicious e-mail attachments.[1]

References

  1. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.