Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0054: Sowbug

Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. [1]

EnterpriseG0054GroupObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Sowbug matters because ATT&CK describes it as a targeted threat group focused on organizations in South America and Southeast Asia, particularly government entities, since at least 2015. The supplied relationships show behaviors that can affect continuity and confidentiality: credential theft, keylogging, command-shell execution, discovery of systems/files/network shares, collection from shared drives, and archiving data before possible removal. For leaders, the decision value is not “block Sowbug” generically; it is validating whether identity controls, file-share governance, endpoint visibility, and incident response playbooks can expose and contain this pattern of targeted intrusion behavior.

Executive priority

Prioritize this as a readiness and evidence question for environments with government, public-sector, regional, or sensitive shared-data exposure. Executives should ask whether the organization can prove it collects enough endpoint, identity, command execution, and network-share telemetry to investigate credential access and data collection. Because ATT&CK provides no official detection text for this group, coverage should be assessed through the related techniques and software rather than through a group-name alert.

Technical view

SOC and IR teams should map controls to the supplied Sowbug relationships: Felismus and Starloader are Windows-related software, while the associated techniques cover credential dumping, keylogging, Windows command shell execution, system/file/share discovery, collection from network shared drives, masquerading by legitimate-looking names or locations, and archive creation via utilities. Validate whether detections correlate command-line activity, suspicious file placement/naming, credential-access indicators, enumeration of files and shares, access to network shared drives, and archive creation in unusual user, host, or service-account contexts.

Likely telemetry

  • Endpoint process creation and command-line logs, especially cmd.exe and archive utilities where available
  • Endpoint file creation, rename, path, and hash metadata for legitimate-looking names or trusted locations
  • Credential access telemetry from operating system, EDR, authentication, and memory-protection events where available
  • Keystroke-capture or suspicious input-hook indicators if endpoint controls expose them
  • Windows host telemetry for Felismus/Starloader-related investigation, based on the related software platform

Detection direction

  • Do not rely on a Sowbug-specific signature; ATT&CK does not provide official detection guidance for this group in the supplied object.
  • Build coverage around the related techniques: T1003, T1056.001, T1059.003, T1082, T1083, T1135, T1039, T1560.001, and T1036.005.
  • Tune for sequences: discovery commands or share enumeration followed by access to shared drives, bulk file reads/copies, archive creation, and suspicious outbound staging indicators if available locally.
  • Review false positives from administrators, backup jobs, software deployment tools, help desk scripts, and legitimate compression utilities before escalating.
  • Validate visibility gaps on file servers and shared drives; many organizations collect endpoint alerts but lack audit-quality evidence for what data was enumerated or copied.

Mitigation priorities

  • Strengthen identity controls first: reduce privileged credential exposure, monitor high-risk authentication, and require strong controls for administrative access.
  • Limit and review access to sensitive network shares using least privilege and periodic access recertification.
  • Improve endpoint hardening and monitoring for credential dumping, keylogging-like behavior, command shell abuse, and suspicious file placement.
  • Apply application control or execution restrictions where practical for unauthorized utilities and unexpected command-shell activity.
  • Ensure file server auditing is enabled for sensitive repositories so IR can determine scope during collection incidents.
Analyst notes and limits

This take is based on the official ATT&CK group description, external references, and listed relationships only. The most operationally useful context comes from the related software and techniques, because the group object itself has no specified platforms, tactics, or official detection text.

ATT&CK does not provide official detection content, current activity status, victim exposure, or complete platform/tactic coverage in the supplied group fields. Local telemetry, asset criticality, region, sector, and identity architecture are required to determine actual risk and detection coverage.

Official MITRE ATT&CK definition

Sowbug

Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

9 rows
Domain ID Name Relationship / procedure
Enterprise T1083 File and Directory Discovery

Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.CitationSymantec Sowbug Nov 2017
Enterprise T1039 Data from Network Shared Drive

Sowbug extracted Word documents from a file server on a victim network.CitationSymantec Sowbug Nov 2017
Enterprise T1560.001 Archive via Utility Sub-technique

Sowbug extracted documents and bundled them into a RAR archive.CitationSymantec Sowbug Nov 2017
Enterprise T1059.003 Windows Command Shell Sub-technique

Sowbug has used command line during its intrusions.CitationSymantec Sowbug Nov 2017
Enterprise T1056.001 Keylogging Sub-technique

Sowbug has used keylogging tools.CitationSymantec Sowbug Nov 2017
Enterprise T1135 Network Share Discovery

Sowbug listed remote shared drives that were accessible from a victim.CitationSymantec Sowbug Nov 2017
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security.CitationSymantec Sowbug Nov 2017
Enterprise T1003 OS Credential Dumping

Sowbug has used credential dumping tools.CitationSymantec Sowbug Nov 2017
Enterprise T1082 System Information Discovery

Sowbug obtained OS version and hardware configuration from a victim.CitationSymantec Sowbug Nov 2017
Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1039: Data from Network Shared Drive Enterprise uses · Malware S0188: Starloader Enterprise uses · Technique T1560.001: Archive via Utility Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Malware S0171: Felismus Enterprise uses · Technique T1135: Network Share Discovery Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1003: OS Credential Dumping Enterprise uses · Technique T1082: System Information Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
c94752c2b4d57467...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle c94752c2b4d5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Symantec Sowbug Nov 2017

    Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.

    Open source URL
  2. [2]
    Sowbug

    (Citation: Symantec Sowbug Nov 2017)

  3. [3]
    mitre-attack G0054
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use