BendyBear

MITRE

Malware Type:
Other

First seen:
Unknown

Last seen:
Unknown

Details:

[BendyBear](https://attack.mitre.org/software/S0574) is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, [BendyBear](https://attack.mitre.org/software/S0574) shares a variety of features with [Waterbear](https://attack.mitre.org/software/S0579), malware previously attributed to the Chinese cyber espionage group [BlackTech](https://attack.mitre.org/groups/G0098).(Citation: Unit42 BendyBear Feb 2021)

Associated Techniques (11)

ID	ATT&CK	Tactics
T1001.001	Junk Data	-
T1012	Query Registry	-
T1027.013	Encrypted/Encoded File	-
T1027.014	Polymorphic Code	-
T1105	Ingress Tool Transfer	-
T1106	Native API	-
T1124	System Time Discovery	-
T1140	Deobfuscate/Decode Files or Information	-
T1497.003	Time Based Checks	-
T1571	Non-Standard Port	-
T1573.001	Symmetric Cryptography	-

Metadata

ID:	365
Created:	13/01/2026 17:48
Updated:	06/03/2026 16:00