1. Home
  2. Campaigns
  3. Operation CuckooBees

Operation CuckooBees

Operation CuckooBees was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of Operation CuckooBees, which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed Operation CuckooBees was conducted by actors affiliated with Winnti Group, APT41, and BARIUM.[1]

ID: C0012
First Seen:  December 2019 [1]
Last Seen:  May 2022 [1]
Contributors: Andrea Serrano Urea, Telefónica Tech
Version: 1.1
Created: 22 September 2022
Last Modified: 16 April 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

During Operation CuckooBees, the threat actors used the net user command to gather account information.[1]
.002 Account Discovery: Domain Account

During Operation CuckooBees, the threat actors used the dsquery and dsget commands to get domain environment information and to query users in administrative groups.[1]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

During Operation CuckooBees, the threat actors enabled HTTP and HTTPS listeners.[1]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

During Operation CuckooBees, the threat actors used the Makecab utility to compress and a version of WinRAR to create password-protected archives of stolen data prior to exfiltration.[1]
Enterprise T1547 .006 Boot or Logon Autostart Execution: Kernel Modules and Extensions

During Operation CuckooBees, attackers used a signed kernel rootkit to establish additional persistence.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

During Operation CuckooBees, the threat actors used batch scripts to perform reconnaissance.[1]
.005 Command and Scripting Interpreter: Visual Basic

During Operation CuckooBees, the threat actors executed an encoded VBScript file using wscript and wrote the decoded output to a text file.[1]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

During Operation CuckooBees, the threat actors modified the IKEEXT and PrintNotify Windows services for persistence.[1]
Enterprise T1005 Data from Local System

During Operation CuckooBees, the threat actors collected data, files, and other information from compromised networks.[1]
Enterprise T1190 Exploit Public-Facing Application

During Operation CuckooBees, the threat actors exploited multiple vulnerabilities in externally facing servers.[1]
Enterprise T1133 External Remote Services

During Operation CuckooBees, the threat actors enabled WinRM over HTTP/HTTPS as a backup persistence mechanism using the following command: cscript //nologo "C:\Windows\System32\winrm.vbs" set winrm/config/service@{EnableCompatibilityHttpsListener="true"}.[1]
Enterprise T1083 File and Directory Discovery

During Operation CuckooBees, the threat actors used dir c:\\ to search for files.[1]
Enterprise T1574 .001 Hijack Execution Flow: DLL

During Operation CuckooBees, the threat actors used the legitimate Windows services IKEEXT and PrintNotify to side-load malicious DLLs.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

During Operation CuckooBees, the threat actors renamed a malicious executable to rundll32.exe to allow it to blend in with other Windows system files.[1]
Enterprise T1135 Network Share Discovery

During Operation CuckooBees, the threat actors used the net share command as part of their advanced reconnaissance.[1]
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

During Operation CuckooBees, the threat actors executed an encoded VBScript file.[1]
.011 Obfuscated Files or Information: Fileless Storage

During Operation CuckooBees, the threat actors stroed payloads in Windows CLFS (Common Log File System) transactional logs.[1]
Enterprise