Daserf is a backdoor trojan first identified in 2011 and used by the cyber-espionage group REDBALDKNIGHT, also known as BRONZE BUTLER or Tick. The group typically deploys Daserf against Japanese organizations, including those in defense, biotechnology, electronics manufacturing, and industrial chemistry. The trojan allows the threat actors to execute shell commands, download and upload data, take screenshots, and log keystrokes. The trojan is often installed on targeted machines through the use of decoy documents attached in spear-phishing emails. Once the document is opened, the trojan is installed and launched. It is also distributed via watering hole attacks and through the exploitation of a remote code execution vulnerability. Daserf undergoes regular technical improvements to evade detection.

In the second half of 2017, Trend Micro researchers noted versions of Daserf targeting Russian, Singaporean, and Chinese enterprises. Some versions of the trojan have added steganography functionality to conduct C2 communication and retrieve a second-stage backdoor. The use of steganography also allows Daserf to bypass firewalls.


  • November 2017: REDBALDKNIGHT's Daserf Backdoor Now Using Steganography. (Trend Micro)

Technical Details

  • Palo Alto Networks provides technical details of the Daserf trojan, here.