C0010: C0010
C0010 was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. C0010 began by at least late 2020, and was still ongoing as of mid-2022.[1]
Analyst context for executives and security teams
C0010 matters because it describes a sustained espionage campaign against organizations in strategically important sectors: shipping, government, aviation, energy, and healthcare. For leaders, the decision value is not just the named campaign; it is the pattern: prepared infrastructure, drive-by access, tool transfer, custom backdoors, and browser credential harvesting. That combination can affect continuity, identity exposure, and incident response speed, especially where users browse from operational or high-trust environments.
Executive priority
Prioritize validation for organizations with similar sector exposure, regional relevance, or critical service dependencies. Executives should ask whether the security program can prove coverage for browser-based initial access, suspicious domain and web infrastructure use, inbound tool transfer, reverse-shell behavior, and credential harvesting from browsers. This campaign also supports audit and resilience discussions: do teams retain the endpoint, DNS, web proxy, and network evidence needed to reconstruct an intrusion that may involve custom malware rather than commodity indicators alone?
Technical view
ATT&CK provides no campaign-level detection text and no campaign-level platforms or tactics, so defenders should work from the related behaviors. C0010 is linked to Drive-by Compromise, Ingress Tool Transfer, adversary domain acquisition or hijacking, malware and tool staging, and two Windows-associated software entries: SUGARDUMP, a browser credential harvesting tool, and SUGARUSH, a custom backdoor that can establish a reverse shell over TCP to a hard-coded C2 address. SOC and IR teams should validate visibility across browser activity, endpoint process and file events, credential store access patterns, outbound network connections, DNS/domain reputation context, and file downloads from external infrastructure.
Likely telemetry
- Endpoint process, file creation, and module/script execution telemetry on user workstations and servers where available
- Browser activity and web proxy logs, including redirects, downloads, and unusual access to newly observed or suspicious domains
- DNS query logs and domain registration/reputation enrichment for acquired, hijacked, or staged domains
- Network egress telemetry for reverse shell-like TCP sessions and command-and-control patterns
- File download and transfer records that could indicate ingress tool transfer from external infrastructure
Detection direction
- Because MITRE provides no official detection guidance for this campaign, avoid relying on campaign name matching; validate behavior-based detections for the related techniques.
- Tune detections for drive-by compromise around abnormal browser child processes, unexpected downloads, redirects, and post-browsing execution, while accounting for legitimate software update and web application behavior.
- Monitor for ingress tool transfer by correlating external downloads, newly written executables or scripts, and subsequent execution or network egress.
- Review outbound TCP connections for unusual long-lived sessions, rare destinations, or hard-coded C2-like behavior, especially when associated with uncommon binaries.
- Hunt for browser credential harvesting behaviors on Windows systems, including unusual access to browser credential stores by non-browser processes.
Mitigation priorities
- Start with evidence readiness: ensure endpoint, DNS, web proxy, and network egress logs are collected and retained long enough to support investigation.
- Reduce browser-based exposure through timely browser and plugin patching, hardened browser configuration, web filtering, and controls around downloads and script execution.
- Limit credential exposure by reducing browser-stored secrets where appropriate, enforcing strong identity controls, and monitoring for account misuse after suspected endpoint compromise.
- Constrain egress with allowlisting or policy-based controls where feasible, and alert on unusual outbound TCP connections to rare or newly observed destinations.
- Apply application control and least privilege to reduce execution of downloaded tools and custom malware.
Analyst notes and limits
The object is a campaign entry, not a technique, and MITRE does not provide campaign-level detection text. The strongest defensive guidance comes from the official description and relationships to SUGARDUMP, SUGARUSH, Drive-by Compromise, Ingress Tool Transfer, and resource-development techniques involving domains, malware, tools, and staged infrastructure. Attribution and targeting statements are limited to the supplied ATT&CK description and the cited Mandiant reporting.
No campaign-level platforms, tactics, or official detection guidance are specified. The campaign was reported as ongoing as of mid-2022, but the supplied fields do not support claims of current activity. Local relevance depends on sector, geography, technology stack, logging maturity, and whether related behaviors appear in the environment.
C0010
C0010 was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. C0010 began by at least late 2020, and was still ongoing as of mid-2022.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1584.001 | Domains Sub-technique | During C0010, UNC3890 actors likely compromised the domain of a legitimate Israeli shipping company.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | For C0010, UNC3890 actors staged malware on their infrastructure for direct download onto a compromised system.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1189 | Drive-by Compromise | During C0010, UNC3890 actors likely established a watering hole that was hosted on a login page of a legitimate Israeli shipping company that was active until at least November 2021.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1608.004 | Drive-by Target Sub-technique | For C0010, the threat actors compromised the login page of a legitimate Israeli shipping company and likely established a watering hole that collected visitor information.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1587.001 | Malware Sub-technique | |
| Enterprise | T1583.001 | Domains Sub-technique | For C0010, UNC3890 actors established domains that appeared to be legitimate services and entities, such as LinkedIn, Facebook, Office 365, and Pfizer.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | During C0010, UNC3890 actors downloaded tools and malware onto a compromised host.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1608.002 | Upload Tool Sub-technique | For C0010, UNC3890 actors staged tools on their infrastructure to download directly onto a compromised system.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | For C0010, UNC3890 actors obtained multiple publicly-available tools, including METASPLOIT, UNICORN, and NorthStar C2.CitationMandiant UNC3890 Aug 2022 |
Groups, software, and campaigns
S1042: SUGARDUMP
SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during the C0010 campaign. The first known SUGARDUMP version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.[1]
S1049: SUGARUSH
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3ada8a2ce610… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant UNC3890 Aug 2022
Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
Open source URL -
[2]
mitre-attack C0010Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.