Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Bandok Malware
Published: 12/10/2025
Written by: Lizzie Danielson
What is Bandok Malware?
Bandook (also spelled Bandok or Bandook RAT) is a full-featured Remote Access Trojan (RAT) written in Delphi and C++, first observed in the wild around 2007. It is commercially available and has been sold and rented to multiple threat actors both criminal groups and suspected state-affiliated espionage operators making it one of the longer-lived RAT families in active circulation. Describing Bandook as primarily a keylogger significantly understates its capability set.
Keylogging is one module among many. Its documented capabilities include:
Remote shell access spawning interactive Windows command shells (cmd.exe) and executing commands remotely (T1059.003)
File management listing, collecting, downloading, uploading, and deleting files on compromised systems (T1005, T1083, T1105, T1070.004)
Process manipulation injecting into and hollowing legitimate Windows processes for execution and evasion (T1055, T1055.012)
Screen capture — taking screenshots of the victim's desktop (T1113)
Audio capture — recording audio via connected microphones (T1123)
Keylogging — capturing keystrokes (T1056.001)
Webcam access — accessing camera devices on compromised endpoints -
Scripting interpreter abuse — executing PowerShell, VBScript, Python, and Java-based payloads (T1059.001, T1059.005, T1059.006)
Encrypted C2 communications — using AES-encrypted channels for command and control and data exfiltration (T1573.001, T1041)
Registry-based persistence — establishing autostart entries for survival across reboots (T1547) This breadth of capability makes Bandook a surveillance and espionage platform, not merely a data capture utility.
When was Bandok first discovered?
Bandok was first identified in October 2010. Its development and deployment are believed to be linked to organized cybercriminal groups, although detailed attribution is limited due to the malware's sophisticated propagation methods.
Who created Bandok?
Bandook is best understood as a shared-use malware toolkit rather than a tool exclusively controlled by a single author or group. The underlying RAT has been commercially available since at least 2007, meaning multiple unrelated threat actors have independently deployed it across different campaigns and time periods.
What does Bandok target?
Bandok typically targets Windows-based systems and has been observed affecting both individuals and organizations. Its victims span various industries, including financial institutions, eCommerce, and governments, with a primary focus on sensitive credential extraction.
Bandok distribution method
Bandok spreads through phishing emails, malicious attachments, and compromised websites. It frequently employs deceptive tactics, such as macro-enabled files, disguised to trick users into execution, making social engineering a critical distribution vector.
Technical analysis of Bandok malware
Bandok operates by infiltrating victims’ systems via an initial payload delivery, often through email attachments or drive-by downloads. Once executed, it establishes persistence by injecting itself into legitimate processes like msinfo32.exe, allowing it to evade detection. Bandok's primary features include keystroke logging, screen capturing, and data exfiltration, all conducted stealthily to avoid alerting victims.
Tactics, Techniques & Procedures (TTPs)
Persistence via process injection
Credential Access through keylogging and clipboard theft
Defense Evasion using obfuscated code and anti-debugging mechanisms
Indicators of Compromise (IoCs)
Bandook IoCs vary significantly across campaigns and actor groups, as the RAT is
commercially available and used by multiple independent threat actors. Campaign-
specific IoCs published by Check Point (2020) and Lookout/EFF (Dark Caracal, 2018)
are the primary authoritative sources.
Malware Guide
Our malware guide shows you how to shut down those infiltration paths before they ever become a crisis.
How to know if you’re infected with Bandok?
Symptoms of a Bandok infection include unexpected system slowdowns, unrecognized outbound traffic, and missing or altered files. Security tools may also flag repeated process injection attempts or unauthorized remote activities on affected endpoints.
Bandok removal instructions
Manual removal of Bandok is risky and should only be attempted with advanced expertise. Utilize Huntress’s managed detection and remediation tools to securely isolate the threat, remove infected files, and restore compromised systems. Employ endpoint detection and response (EDR) solutions for ongoing protection.
Is Bandok still active?
Yes, Bandok remains an active and evolving threat. Variants have surfaced over the years, demonstrating how adaptable and persistent this malware family is in targeting organizations.
Mitigation & prevention strategies
Preventing Bandok infections requires a multi-layered approach. Regular software patching, enabling multi-factor authentication (MFA), and employee training on phishing risks are essential. Consider Huntress’s 24/7 monitoring and remediation services to detect and neutralize threats like Bandok before they escalate.
Related educational articles & videos
Bandok FAQ
Bandok is a keylogger trojan designed to capture sensitive user information by recording keystrokes and stealing data. It infiltrates systems via phishing, malicious attachments, and exploit kits before embedding itself to avoid detection.
Bandok typically infects systems through socially engineered emails containing harmful attachments, compromised websites, or drive-by downloads. Its ability to manipulate users into unknowingly executing its payload makes it highly effective.
Yes, Bandok continues to evolve with new variants emerging. Its adaptability and use of obfuscation techniques keep it relevant and dangerous in the cybersecurity landscape.
Organizations should implement robust cybersecurity strategies, including patch management, EDR solutions, phishing awareness training, and ongoing network monitoring. Huntress’s services provide an extra layer of protection against Bandok infections.
