Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

BITSAdmin

BITSAdmin is a legitimate Windows administrative utility that adversaries use as a dual-use tool for file transfer. The provided content associates BITSAdmin with creating BITS jobs for ingress tool transfer, lateral tool transfer, and exfiltration over unencrypted non-C2 protocols, including uploading files from a compromised host. It has been used by Daggerfly to retrieve files from remote locations for execution on victim systems. The content specifically links BITSAdmin activity to BITS jobs and transfer operations rather than bespoke malware functionality. Associated threat activity in the content includes Daggerfly intrusions. No specific industries, victim sectors, or concrete indicators of compromise are provided in the source material.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Daggerfly

Daggerfly has used BITSAdmin to retrieve files from remote locations to run on victim systems.

via mitre attackattack.mitre.org
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1197BITS JobsEvidence1

Daggerfly has used BITSAdmin to retrieve files from remote locations to run on victim systems.

Persistence

1 technique
T1197BITS JobsEvidence1

Daggerfly has used BITSAdmin to retrieve files from remote locations to run on victim systems.

Stealth

1 technique
T1197BITS JobsEvidence1

Daggerfly has used BITSAdmin to retrieve files from remote locations to run on victim systems.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

...has used BITSAdmin to retrieve files from remote locations to run on victim systems... Ingress Tool Transfer

Exfiltration

3 techniques
T1041Exfiltration Over C2 ChannelEvidence1

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

T1048Exfiltration Over Alternative ProtocolEvidence1

Agent Tesla has routines for exfiltration over SMTP, FTP, and HTTP.

T1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolEvidence1

Thrip has used WinSCP to exfiltrate data from a targeted organization over FTP.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
mitre attack websiteNews
Feb 1, 2016
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Sub-technique T1048.003 - Enterprise | MITRE ATT&CK®

Windows utility that can be abused to upload files from a compromised host via BITS jobs.

Read more
mitre attackNews
Jan 25, 2026
Wizard Spider, UNC1878, TEMP.MixMaster, Grim Spider, FIN12, GOLD BLACKBURN, ITG23, Periwinkle Tempest, DEV-0193, Group G0102 | MITRE ATT&CK®

Windows BITS administration utility abused to download/upload files and move tools laterally using BITS jobs.

Read more
mitre attackNews
Mar 18, 2026
Daggerfly, Evasive Panda, BRONZE HIGHLAND, Group G1034 | MITRE ATT&CK®

A Windows command-line utility abused to download/transfer files (living-off-the-land), enabling remote payload retrieval and execution on victim systems.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.