BendyBear
BendyBear is a novel x64 stage-zero shellcode downloader analyzed by Unit 42 and assessed to be strongly related to the WaterBear malware family. WaterBear has been associated with the BlackTech cyber-espionage group, which multiple agencies and researchers link to China. BendyBear’s sole documented function is to download a more robust implant from command-and-control (C2) infrastructure. It was also listed by U.S. and Japanese agencies among custom malware used in BlackTech operations targeting multiple Cisco router versions.
The malware is unusually large for shellcode, uses polymorphic/self-modifying code and byte randomization to obscure behavior, and includes anti-analysis logic. Reported anti-analysis features include checks for analysis environments and signs of debugging using kernel32!GetTickCount, as well as repeated PEB-based debugger checks. It can determine local time on a compromised host, query the Windows Registry key HKEY_CURRENT_USER\Console\QuickEdit to retrieve configuration-related data, and resolve/load APIs using standard shellcode API hashing.
For C2, BendyBear communicates over TCP/port 443 using a custom protocol described as modified RC4- and XOR-encrypted or custom RC4- and XOR-encrypted chunks, with authenticated communications and per-connection session keys. It flushes the host DNS cache before connecting by calling DnsFlushResolverCache. BendyBear is designed to download payload chunks from C2, decrypt them in memory, validate the downloaded payload as a Windows PE/DLL, and directly load the DLL in memory without normal PEB module tracking.
High-confidence indicators mentioned in the content include SHA-256 64cc899ec85f612270fcfb120a4c80d52d78e68b05caf1014d2fe06522f1e2d0 for an x64 sample, SHA-256 49901034216a16cfd05c613f438eccee4a7bf6079a7988b3e7094d9498379558 for an x86 sample, and C2 domains wg1.inkeslive[.]com and web2008.rutentw[.]com.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
the agencies said they have observed multiple Cisco versions targeted with custom malware, including BendyBear, Bifrose, BTSDoor FakeDead (a.k.a. TSCookie), Flagpro, FrontShell (FakeDead’s downloader module) IconDown PLEAD, SpiderPig, SpiderSpring, SpiderStack and WaterBear.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueA sophisticated hacking group tied to the government of China is exploiting routers in attacks on a variety of organizations... The group specifically targets “branch routers” — smaller appliances used at more remote branch offices to connect to a corporate headquarters.
Execution
1 techniqueNext, the shellcode iterates through the PEB’s loader module list... resolves any necessary Windows API calls using standard shellcode API hashing... Table 1 ... Dynamic DLL Importing and API Lookups ... T1106 Native API
Persistence
1 techniqueSpecifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network.
Stealth
6 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Transmits payloads in modified RC4-encrypted chunks... Table 1 ... Payloads in modified RC4-encrypted chunks ... T1027.002: Obfuscated Files or Information: Software Packing
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Defense Impairment
1 techniqueSpecifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network.
Credential Access
1 techniqueSpecifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network.
Discovery
4 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The shellcode begins by locating the target’s Process Environment Block (PEB) to check if it’s currently being debugged... This routine is performed 52 times... Table 1 ... T1082: System Information Discovery
Multiple malware and threat groups are described as collecting/deriving local system time, date, timestamp, tick count, or time zone (e.g., "used time /t and net time \ip/hostname for system time discovery"; "collects the timestamp from the victim’s machine"; "can collect the time zone information from the system").
Command and Control
5 techniquesThe BendyBear sample was determined to be x64 shellcode for a stage-zero implant whose sole function is to download a more robust implant from a command and control (C2) server... Table 1 ... Payload transfer from remote host ... T1105: Ingress Tool Transfer
Obscures its connection protocol by connecting to the C2 server over a common port (443)... Table 1 ... Command and Control ... T1573.002: Encrypted Channel: Asymmetric Cryptography
IOCs tracked for this family
9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom malware observed in BlackTech operations targeting Cisco routers and enterprise networks.
An x64 stage-0 shellcode stager/downloader that authenticates to a C2, uses modified RC4 plus additional XOR operations, transfers payloads in encrypted chunks, employs polymorphic/self-modifying code and anti-analysis checks, flushes DNS cache before C2 connections, and direct-memory loads a downloaded DLL payload (MEM_PRIVATE, RWX) without standard PEB loader entries.
Malware that retrieves host data by querying specific registry keys.
Malware that queries specific registry keys to retrieve host configuration data.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.