Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0686: QuietSieve

QuietSieve is an information stealer that has been used by Gamaredon Group since at least 2021.[1]

EnterpriseS0686MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

QuietSieve is a Windows information stealer associated in ATT&CK with Gamaredon Group use since at least 2021. Its value to defenders is not just the malware name, but the behavior pattern: local data collection, file/share discovery, screen capture, peripheral discovery, hidden-window execution, web-based command-and-control, and tool transfer. For leaders, this makes QuietSieve relevant to protection of sensitive documents, user workstations, investigation readiness, and evidence that endpoint and network monitoring can see collection and C2 activity before data loss expands.

Executive priority

Prioritize QuietSieve as an espionage-oriented data exposure risk for Windows environments, especially where sensitive files, shared drives, screenshots, or connected devices could reveal regulated, legal, operational, or mission information. Because ATT&CK provides no official detection guidance for this object, leadership should ask whether existing managed detection, endpoint logging, proxy/DNS visibility, and incident response playbooks can prove coverage for the related techniques rather than relying on malware-name matching alone.

Technical view

Validate detection around the ATT&CK relationships: Data from Local System, Internet Connection Discovery, Web Protocols, File and Directory Discovery, Ingress Tool Transfer, Screen Capture, Peripheral Device Discovery, Network Share Discovery, and Hidden Window. SOC and IR teams should focus on Windows host activity that combines discovery of local files, shares, peripherals, and screenshots with outbound web traffic and possible downloaded tooling. Since tactics are not specified on the malware object and official detection text is not provided, build coverage from the related techniques and local baselines.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • File system access and enumeration events where available
  • Network share and SMB access telemetry
  • Screenshot or screen capture API/tool activity where monitored
  • Peripheral device and removable media inventory or access logs

Detection direction

  • Correlate file/directory discovery, network share discovery, and local data access with outbound web protocol traffic from the same Windows host.
  • Tune for unusual screenshot behavior, especially when paired with discovery activity or unfamiliar processes.
  • Review detections for Internet connectivity checks that precede external communications, while accounting for legitimate software update and health-check noise.
  • Validate visibility into ingress tool transfer, including downloads that occur through common web protocols.
  • Do not depend solely on signatures for QuietSieve; ATT&CK supplies behavior relationships but no official detection logic.

Mitigation priorities

  • Confirm sensitive data is not broadly exposed on local systems or network shares and apply least-privilege access controls.
  • Harden Windows endpoint monitoring and response coverage for discovery, collection, and web-based C2 behaviors.
  • Restrict and monitor unnecessary outbound web traffic where business operations allow.
  • Maintain controls over tool downloads and execution from untrusted locations.
  • Prepare IR collection procedures for endpoint artifacts, network traffic, accessed files, screenshots, and share access evidence.
Analyst notes and limits

The strongest defensive takeaway is behavioral clustering. QuietSieve is described as an information stealer, and the relationships point to discovery, collection, stealth, command-and-control, and tool transfer behaviors. This supports practical validation of endpoint, network, and share-access telemetry, but local baselines are required to separate malicious activity from administration, inventory, backup, and normal user behavior.

The supplied ATT&CK object has no official detection text, no malware aliases, no labels, and no malware-level tactics specified. Platform support is limited to Windows on the object, even though some related techniques list broader platforms. This take does not assert current exploitation, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

QuietSieve

QuietSieve is an information stealer that has been used by Gamaredon Group since at least 2021.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

9 rows
Domain ID Name Relationship / procedure
Enterprise T1564.003 Hidden Window Sub-technique

QuietSieve has the ability to execute payloads in a hidden window.CitationMicrosoft Actinium February 2022
Enterprise T1071.001 Web Protocols Sub-technique

QuietSieve can use HTTPS in C2 communications.CitationMicrosoft Actinium February 2022
Enterprise T1105 Ingress Tool Transfer

QuietSieve can download and execute payloads on a target host.CitationMicrosoft Actinium February 2022
Enterprise T1016.001 Internet Connection Discovery Sub-technique

QuietSieve can check C2 connectivity with a `ping` to 8.8.8.8 (Google public DNS).CitationMicrosoft Actinium February 2022
Enterprise T1083 File and Directory Discovery

QuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z.CitationMicrosoft Actinium February 2022
Enterprise T1120 Peripheral Device Discovery

QuietSieve can identify and search removable drives for specific file name extensions.CitationMicrosoft Actinium February 2022
Enterprise T1005 Data from Local System

QuietSieve can collect files from a compromised host.CitationMicrosoft Actinium February 2022
Enterprise T1135 Network Share Discovery

QuietSieve can identify and search networked drives for specific file name extensions.CitationMicrosoft Actinium February 2022
Enterprise T1113 Screen Capture

QuietSieve has taken screenshots every five minutes and saved them to the user's local Application Data folder under `Temp\SymbolSourceSymbols\icons` or `Temp\ModeAuto\icons`.CitationMicrosoft Actinium February 2022
Associated objects

Groups, software, and campaigns

Group Enterprise

G0047: Gamaredon Group

Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns.[1][2][3][4][5]

In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. [6][5]

Relationship explorer

All related ATT&CK context

uses · Technique T1564.003: Hidden Window Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Group G0047: Gamaredon Group Enterprise uses · Technique T1016.001: Internet Connection Discovery Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1120: Peripheral Device Discovery Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1135: Network Share Discovery Enterprise uses · Technique T1113: Screen Capture Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f1d4ddf61f293d85...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f1d4ddf61f29…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Microsoft Actinium February 2022

    Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.

    Open source URL
  2. [2]
    mitre-attack S0686
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use