G0039: Suckfly
Analyst context for executives and security teams
Suckfly matters as a planning object because ATT&CK links the group to credential theft, valid account abuse, service discovery, Windows command shell execution, code signing abuse, and a custom Windows backdoor called Nidiran. For leaders, the practical issue is not the name alone; it is whether the organization can prove control over credentials, signed code trust decisions, endpoint execution visibility, and internal discovery activity during an investigation.
Executive priority
Prioritize this as an identity, endpoint trust, and incident readiness concern. The ATT&CK relationships point to behaviors that can undermine business continuity by turning one compromised account or trusted certificate into broader access. Executives should ask whether privileged credentials, code signing materials, remote access accounts, and internal service exposure are monitored well enough to support rapid containment and audit evidence.
Technical view
SOC and IR teams should validate coverage against the related ATT&CK behaviors: OS Credential Dumping (T1003), Network Service Discovery (T1046), Windows Command Shell (T1059.003), Valid Accounts (T1078), Code Signing (T1553.002), and Nidiran (S0118). Because the group object has no official detection text and no group-level platforms listed, detection engineering should be relationship-driven: confirm Windows endpoint telemetry for Nidiran and command shell activity, identity telemetry for valid account use, credential-access indicators, scanning/service discovery evidence, and certificate/code-signing governance logs where available.
Likely telemetry
- Endpoint process creation and command-line logging, especially for Windows command shell activity where Windows systems are in scope
- Authentication logs for local, domain, remote access, cloud, and identity provider accounts where applicable
- Credential access evidence from endpoint security tools, memory access monitoring, and security event logs
- Network flow, firewall, IDS, and internal scan/service discovery telemetry
- Code signing certificate inventory, signing event records, certificate issuance/revocation records, and file reputation/signature validation data
Detection direction
- Map existing detections to the related techniques rather than relying on the intrusion-set name alone, since ATT&CK provides no official detection section for Suckfly.
- Validate correlation between credential dumping signals and subsequent valid account use, especially unusual logons, privilege changes, or access from atypical hosts.
- Tune service discovery detections to distinguish approved vulnerability scanning and administration from unexpected internal enumeration.
- Review Windows command shell detections for suspicious parent-child process chains and remote execution context, while accounting for legitimate administrative use.
- Assess whether signed binaries are trusted automatically without checking certificate provenance, signer reputation, revocation status, and unusual use of code signing materials.
Mitigation priorities
- Harden identity controls first: reduce standing privilege, enforce strong authentication where applicable, monitor privileged and remote access accounts, and review account lifecycle controls.
- Protect credential material by limiting credential exposure on endpoints and prioritizing controls that reduce credential dumping opportunities.
- Govern code signing as a sensitive security function: inventory certificates, restrict access to signing keys, monitor signing activity, and maintain revocation processes.
- Improve internal visibility for service discovery by baselining authorized scanning and alerting on unexpected enumeration from user or server systems.
- Ensure Windows endpoint logging and response procedures are sufficient to investigate command shell execution and suspected backdoor activity.
Analyst notes and limits
The strongest decision value in this object comes from its relationships. Suckfly is described by ATT&CK as a China-based threat group active since at least 2014, with reporting from Symantec in March and May 2016. ATT&CK links it to Nidiran and several enterprise techniques that emphasize credential access, valid account use, discovery, execution, and code signing abuse.
The group object does not specify platforms, tactics, labels, or official detection guidance. Any assessment of exposure, current activity, targeting, or detection coverage requires local telemetry and the cited external reporting; it should not be inferred from this ATT&CK object alone.
Suckfly
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Several tools used by Suckfly have been command-line driven.CitationSymantec Suckfly May 2016 |
| Enterprise | T1078 | Valid Accounts | Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner.CitationSymantec Suckfly May 2016 |
| Enterprise | T1046 | Network Service Discovery | Suckfly the victim's internal network for hosts with ports 8080, 5900, and 40 open.CitationSymantec Suckfly May 2016 |
| Enterprise | T1003 | OS Credential Dumping | Suckfly used a signed credential-dumping tool to obtain victim account credentials.CitationSymantec Suckfly May 2016 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Suckfly has used stolen certificates to sign its malware.CitationSymantec Suckfly March 2016 |
Groups, software, and campaigns
S0118: Nidiran
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 2d3f49572a82… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Suckfly March 2016
DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.
Open source URL -
[2]
Suckfly
(Citation: Symantec Suckfly March 2016) (Citation: Symantec Suckfly May 2016)
-
[3]
Symantec Suckfly May 2016
DiMaggio, J. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
Open source URL -
[4]
mitre-attack G0039Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.