S0589: Sibot
Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds Compromise.[1]
Analyst context for executives and security teams
Sibot matters because it represents a Windows VBScript-based malware family designed for persistence and for downloading/executing additional payloads. In business terms, that makes it a foothold-enabling component: if similar behavior is missed, an intrusion can survive reboots, bring in new tooling, and blend into normal Windows administration paths. ATT&CK links Sibot to the SolarWinds Compromise and APT29 context, so leaders should treat it as a useful validation case for whether endpoint, script, registry, scheduled task, and web egress monitoring are mature enough for high-scrutiny intrusions.
Executive priority
Prioritize this as a control-validation and incident-readiness scenario for Windows environments, especially where business continuity depends on trusted administrative tooling and clean audit evidence. The key executive question is not whether Sibot itself is present, but whether the organization can reliably detect and investigate VBScript execution, persistence via scheduled tasks or registry changes, proxy execution through trusted Windows utilities, and outbound web-based command-and-control or payload retrieval. This supports SOC readiness, IR scoping, compliance evidence, and prioritization of endpoint logging and egress visibility investments.
Technical view
Sibot is documented as Windows malware written in VBScript for persistence and additional payload execution. ATT&CK relationships associate it with registry query/modification, network and connection discovery, command obfuscation, fileless storage, legitimate-looking resource names or locations, WMI, scheduled tasks, Visual Basic execution, indicator removal/file deletion, web protocols/web services, ingress tool transfer, deobfuscation, and proxy execution through mshta.exe and rundll32.exe. SOC and IR teams should validate visibility across script hosts, command lines, parent-child process chains, scheduled task creation or modification, registry access, WMI activity, file deletion, and outbound HTTP/S or web-service traffic from unusual processes.
Likely telemetry
- Windows process creation events with full command line and parent-child relationships
- VBScript and script-host execution evidence, including wscript/cscript-style activity where collected
- Scheduled task creation, modification, and execution logs
- Windows Registry query and modification telemetry
- WMI execution and management activity logs
Detection direction
- Validate detections that correlate VBScript execution with persistence changes, especially scheduled tasks and registry modifications.
- Tune for suspicious parent-child chains involving script interpreters, mshta.exe, rundll32.exe, WMI, and outbound network activity rather than relying on single-process signatures.
- Look for discovery behavior clustered around registry queries, network configuration checks, and connection enumeration on Windows hosts.
- Account for command obfuscation and deobfuscation by preserving full command lines, script content where legally and technically appropriate, and decoded/normalized fields where available.
- Hunt for fileless or registry-resident storage patterns and legitimate-looking resource names or locations that may evade simple file-path allowlists.
Mitigation priorities
- Ensure Windows endpoint logging and EDR coverage captures script execution, command lines, registry changes, scheduled tasks, WMI, file activity, and network connections.
- Restrict or monitor high-risk script and proxy-execution utilities such as VBScript interpreters, mshta.exe, and rundll32.exe according to business need.
- Harden persistence surfaces by controlling who can create scheduled tasks and modify sensitive registry locations.
- Apply least privilege for administrative accounts that can use WMI, modify registry keys, or establish persistence.
- Strengthen outbound web filtering, proxy logging, and DNS visibility to support investigation of web protocol and web-service command-and-control patterns.
Analyst notes and limits
MITRE provides no dedicated detection text for Sibot, so this take is derived from the official description, external Microsoft reference, and ATT&CK relationships. The strongest defensive value is using Sibot as a behavioral test case for Windows persistence, script execution, proxy execution, registry activity, and web-based payload/C2 visibility. Relationships to APT29 and the SolarWinds Compromise provide context, but local risk depends on the organization’s Windows estate, logging depth, administrative scripting practices, and egress monitoring maturity.
The supplied object lists Windows as the platform but does not specify tactics directly and does not provide official detection guidance. Related techniques include broader platform coverage, but this assessment is constrained to the Sibot Windows context. No claim is made that Sibot is currently active in any environment or that any control will guarantee detection.
Sibot
Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds Compromise.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1012 | Query Registry | Sibot has queried the registry for proxy server information.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Sibot has been executed via a scheduled task.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Sibot has downloaded a DLL to the |
| Enterprise | T1016 | System Network Configuration Discovery | Sibot checked if the compromised system is configured to use proxies.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Sibot has obfuscated scripts used in execution.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1047 | Windows Management Instrumentation | |
| Enterprise | T1105 | Ingress Tool Transfer | Sibot can download and execute a payload onto a compromised system.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Sibot will delete itself if a certain server response is received.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1102 | Web Service | Sibot has used a legitimate compromised website to download DLLs to the victim's machine.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Sibot executes commands using VBScript.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Sibot can decrypt data received from a C2 and save to a file.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1218.005 | Mshta Sub-technique | Sibot has been executed via MSHTA application.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Sibot has executed downloaded DLLs with |
| Enterprise | T1049 | System Network Connections Discovery | Sibot has retrieved a GUID associated with a present LAN connection on a compromised machine.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1070 | Indicator Removal | Sibot will delete an associated registry key if a certain server response is received.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | Sibot has installed a second-stage script in the |
| Enterprise | T1112 | Modify Registry | Sibot has modified the Registry to install a second-stage script in the |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Sibot communicated with its C2 server via HTTP GET requests.CitationMSTIC NOBELIUM Mar 2021 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 11568116c873… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MSTIC NOBELIUM Mar 2021
Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
Open source URL -
[2]
mitre-attack S0589Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.