Tick (also tracked as Bronze Butler, RedBaldknight, Stalker Panda, Nian, and MITRE ATT&CK G0060) is a China-aligned cyber-espionage cluster active since at least 2008, one of the most operationally durable publicly-tracked China-aligned clusters in the public record, with more than fifteen years of sustained operations against Japanese targets. The cluster is widely assessed by vendor research (Dell Secureworks Counter Threat Unit's October 2017 seminal Bronze Butler disclosure, Trend Micro's November 2017 REDBALDKNIGHT disclosure, ESET's ongoing tracking, JPCERT/ CC's sustained Japanese-national-CERT advisory series across 2019-2024, and many others) to operate in alignment with Chinese state interests, most commonly framed as MSS (Ministry of State Security) tasking with some vendor reporting suggesting MSS Shanghai Bureau adjacency. Attribution at the specific MSS-bureau or contractor level has not been formally established by US or Japanese government indictment.
Targeting focus is overwhelmingly directed at Japan, defense industrial base, aerospace, heavy industry (shipbuilding, automotive, electronics, semiconductors), manufacturing, chemical, pharmaceutical, healthcare, biotechnology, higher education, research, and government entities, with selective expansion to South Korean, Russian, mainland Chinese, and Mongolian targets. The Japan-centric victimology is so pronounced and so sustained across more than a decade that Tick is among the most-clearly single-country-focused publicly-tracked clusters. The cluster's most distinctive tradecraft signature is sustained exploitation of Ichitaro, a Japanese-language word processor published by JustSystems and used predominantly within Japanese government and corporate environments.
Ichitaro zero-days (CVE-2014-7247 and others) are essentially Japan-specific exploits, they have no value against non-Japanese targets, and Tick's sustained investment in Ichitaro 0day development across multiple years is unusually strong evidence of the cluster's dedicated Japan-targeting focus. Few other publicly-tracked clusters have invested in Ichitaro exploitation. Operationally Tick's toolkit centers on three signature implants that have evolved across more than a decade: Daserf (the central .NET-based Windows backdoor, observed since approximately 2011 with continuous incremental evolution including the 2017 steganography-based delivery channel disclosed by Trend Micro), Datper (a sibling Windows backdoor sharing infrastructure and tasking patterns with Daserf), and T-SMB SCAN (a bespoke SMB network-reconnaissance and credential-spraying tool that has appeared in Tick operations since at least 2014).
Beyond these three the cluster operates xxmm/Wrapdll, GeminiRAT, SkySilk (newer 2021+ implant), ShadowWalker, HomamDownloader, DownDelph, Minzen, and SidePlay. The sustained use of a small set of bespoke tools across more than a decade, rather than the eclectic open-source-heavy toolkits seen in some peer clusters, reflects the cluster's tradecraft discipline. Initial access patterns mix spear-phishing with weaponized Office documents (CVE-2014-1761, CVE-2017-11882, CVE-2018-0802, and related Office vulnerabilities), spear-phishing with Ichitaro 0day exploits, supply-chain compromise of Japanese software vendors, watering-hole compromises of Japanese industry-relevant websites, and (more recently) exploitation of public-facing vulnerabilities (Exchange ProxyLogon, BlueKeep).
A handful of operational notes: First, the cluster's vendor-naming proliferation (Tick / Bronze Butler / RedBaldknight / Stalker Panda / Nian) reflects more than a decade of fragmented pre-consolidation vendor tracking rather than separate operational sub-clusters. Modern reporting should default to "Tick" as the MITRE-canonical name. Second, the cluster is operationally distinct from BlackTech / Palmerworm (already covered as blacktech.
yaml), which also targets Japanese organizations but operates a different toolkit (Plead, TSCookie, Flagpro, BendyBear, Waterbear) and a different target-pivot pattern (US subsidiary
- Japanese parent compromise via Cisco router firmware implants). Tick and BlackTech overlap in target country (Japan) but are clearly distinguishable on toolkit, tradecraft, and infrastructure. Third, attribution to MSS specifically, though dominant in vendor reporting, has not been confirmed by formal US or Japanese government attribution. Treat the MSS-tasking framing as suspected. Fourth, JPCERT/CC's sustained advisory series across 2019-2024 is among the most operationally-detailed sustained public- tracking of any China-aligned cluster against any single country, reflecting the depth of Japanese national-CERT investment in Tick-specific tracking, a useful operational data source for any defender or researcher working in this victim space.