HOMETHREATSCARROTBALL
APT / THREAT GROUP

CARROTBALL

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

CARROTBALL is a simple FTP downloader built to deploy SYSCON, a Remote Access Trojan used by the same threat actor. Discovered by Unit 42 in late 2019, the downloader was adopted for use in spear phishing attacks against US government agencies.

Threat Analysis

CARROTBALL is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

CARROTBALLwin.carrotball

External Intelligence

Malpedia: win.carrotball

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.