S0546: SharpStage
SharpStage is a .NET malware with backdoor capabilities.[1][2]
Analyst context for executives and security teams
SharpStage matters because ATT&CK describes it as Windows .NET malware with backdoor capabilities, with related behaviors spanning execution, persistence, discovery, collection, command-and-control, and tool transfer. For leaders, the practical issue is not only the malware name; it is whether Windows endpoint, identity, network, and cloud/web-service monitoring can show when a backdoor is launched, persists, profiles a host, captures screens, and communicates through legitimate web services that may blend into normal traffic.
Executive priority
Prioritize SharpStage as a validation case for Windows endpoint resilience and incident readiness. The ATT&CK relationships point to common control-decision areas: PowerShell and command shell governance, WMI visibility, scheduled task and Run key persistence monitoring, outbound web-service traffic review, and evidence collection for host discovery and screen capture activity. Because no official ATT&CK detection guidance is provided, executives should ask whether the SOC can prove coverage through telemetry and tested detections rather than relying on signature names alone.
Technical view
ATT&CK lists SharpStage as Windows malware and relates it to T1047 WMI, T1053.005 Scheduled Task, T1059.001 PowerShell, T1059.003 Windows Command Shell, T1082 System Information Discovery, T1102 Web Service, T1105 Ingress Tool Transfer, T1113 Screen Capture, T1140 Deobfuscate/Decode Files or Information, T1547.001 Registry Run Keys / Startup Folder, and T1614.001 System Language Discovery. SOC and IR teams should validate process lineage, script and shell execution, WMI activity, scheduled task creation/modification, Run key/startup folder changes, file download or transfer evidence, screen capture indicators where available, and outbound connections to legitimate web services used as possible C2 channels. Relationship context also notes Molerats uses this object, but that should be treated as ATT&CK context, not proof of local attribution.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell execution logs and script block/module logging where enabled
- WMI operational logs and remote/local WMI execution evidence
- Scheduled Task creation, modification, and execution events
- Registry auditing for Run keys and startup folder change monitoring
Detection direction
- Use behavior-based analytics around the related ATT&CK techniques rather than depending on the SharpStage name, because official ATT&CK detection text is not provided.
- Correlate suspicious PowerShell, cmd.exe, and WMI execution with persistence changes such as Scheduled Tasks or Registry Run keys.
- Tune for administrative false positives: WMI, PowerShell, scheduled tasks, and web services are legitimate in many Windows environments, so detection should use parent process, user context, host role, command content, timing, and persistence correlation.
- Review outbound traffic to legitimate web services in context of unusual process ancestry, new binaries, or post-execution discovery activity; web-service C2 can be difficult to distinguish from normal business traffic without endpoint correlation.
- Validate that telemetry retention supports incident reconstruction across execution, persistence, discovery, collection, and command-and-control behaviors.
Mitigation priorities
- Harden Windows scripting and administration surfaces with least privilege, PowerShell governance, and monitoring for WMI and command shell misuse.
- Control persistence paths by monitoring and restricting unauthorized Scheduled Task, Run key, and startup folder changes.
- Apply egress governance and proxy logging sufficient to investigate legitimate web-service abuse without blocking normal business use indiscriminately.
- Ensure EDR or equivalent endpoint controls can collect process, registry, task, WMI, file, and network evidence needed for IR.
- Use this malware’s related techniques as a tabletop or detection-engineering test case for SOC readiness and audit evidence, especially where no official ATT&CK detection procedure is supplied.
Analyst notes and limits
The strongest defensive value comes from the relationships: SharpStage is a Windows .NET backdoor in ATT&CK, and its related techniques map to practical Windows execution, persistence, discovery, collection, and C2 validation. The supplied relationship context also identifies Molerats as a group that uses SharpStage, with victim geography described in the group object; this should inform threat intelligence context but not be treated as evidence of targeting in any specific environment.
ATT&CK provides no official detection text for this object, no aliases, and no explicit malware tactics field in the supplied object. The take therefore avoids claims of active exploitation, local exposure, guaranteed detection, or specific indicators. Local telemetry quality, business use of web services, Windows administration practices, and endpoint control coverage are required to determine actual risk and detection confidence.
SharpStage
SharpStage is a .NET malware with backdoor capabilities.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | SharpStage can execute arbitrary commands with the command line.CitationCybereason Molerats Dec 2020CitationBleepingComputer Molerats Dec 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | SharpStage has a persistence component to write a scheduled task for the payload.CitationCybereason Molerats Dec 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | SharpStage has the ability to create persistence for the malware using the Registry autorun key and startup folder.CitationCybereason Molerats Dec 2020 |
| Enterprise | T1102 | Web Service | SharpStage has used a legitimate web service for evading detection.CitationCybereason Molerats Dec 2020 |
| Enterprise | T1113 | Screen Capture | SharpStage has the ability to capture the victim's screen.CitationCybereason Molerats Dec 2020CitationBleepingComputer Molerats Dec 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | SharpStage can execute arbitrary commands with PowerShell.CitationCybereason Molerats Dec 2020CitationBleepingComputer Molerats Dec 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | SharpStage has the ability to download and execute additional payloads via a DropBox API.CitationCybereason Molerats Dec 2020CitationBleepingComputer Molerats Dec 2020 |
| Enterprise | T1082 | System Information Discovery | SharpStage has checked the system settings to see if Arabic is the configured language.CitationBleepingComputer Molerats Dec 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | SharpStage has decompressed data received from the C2 server.CitationBleepingComputer Molerats Dec 2020 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | SharpStage has been used to target Arabic-speaking users and used code that checks if the compromised machine has the Arabic language installed.CitationBleepingComputer Molerats Dec 2020 |
| Enterprise | T1047 | Windows Management Instrumentation | SharpStage can use WMI for execution.CitationCybereason Molerats Dec 2020CitationBleepingComputer Molerats Dec 2020 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 3df4a40832e9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason Molerats Dec 2020
Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
Open source URL -
[2]
BleepingComputer Molerats Dec 2020
Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
Open source URL -
[3]
SharpStage
(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)
-
[4]
mitre-attack S0546Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.