S1019: Shark
Analyst context for executives and security teams
Shark matters because it is a Windows C#/.NET backdoor associated in ATT&CK with HEXANE and a behavior set that supports persistence of remote control, discovery, staging, and exfiltration. For leaders, the practical question is not just “do we know this malware name?” but whether Windows endpoint, DNS, web, and data-movement monitoring can show when a backdoor is communicating, collecting local data, hiding artifacts, or moving files out over command-and-control channels.
Executive priority
Prioritize Shark-related readiness where Windows environments support sensitive operations, regulated data, or sectors similar to those noted in the HEXANE relationship, including oil and gas, telecommunications, aviation, and internet service providers. The ATT&CK record has no official detection text, so leadership should ask for evidence of coverage across the mapped behaviors: command shell execution, registry and system discovery, DNS/web C2, fallback channels, data staging, scheduled transfer, and exfiltration over C2. This is useful for incident response planning, SOC validation, compliance evidence, and resilience discussions because the material risk is covert access plus data theft rather than a single malware signature.
Technical view
Treat Shark as a Windows-focused backdoor with ATT&CK relationships spanning execution, discovery, command-and-control, collection, exfiltration, and defense evasion/stealth. SOC and IR teams should validate that endpoint telemetry captures .NET/C# process behavior, child process creation such as Windows command shell use, registry queries, system information discovery, file creation/deletion, encoded or decoded artifacts, and unusual staging directories. Network teams should validate visibility into outbound HTTP/S-style web traffic, DNS activity, DGA-like domain patterns, fallback destinations, tool/file downloads, and data transfer over an established C2 channel. Because ATT&CK provides no official detection guidance for this object, detections should be behavior-based and tested against the related techniques rather than relying on the Shark name alone.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and suspicious .NET process activity
- Windows Registry query telemetry
- System information discovery events from hosts
- File creation, rename, deletion, encoding/decoding, and staging-location activity
- DNS query logs and resolver telemetry for unusual or algorithmic-looking domains
Detection direction
- Build coverage around the mapped ATT&CK behaviors: T1059.003, T1012, T1082, T1071.001, T1071.004, T1008, T1568.002, T1105, T1005, T1074, T1029, and T1041.
- Correlate endpoint discovery and command shell activity with subsequent outbound DNS/web communications and file staging rather than alerting on isolated benign administrative commands.
- Tune for false positives from legitimate administration, software inventory, backup jobs, and scheduled data transfers by baselining normal Windows hosts, service accounts, destinations, and timing.
- Validate visibility into evasive behaviors including encoded/encrypted files, decode/deobfuscation activity, legitimate-looking resource names or locations, file deletion, and system checks that may indicate sandbox or analysis avoidance.
- Use the HEXANE relationship as threat-intelligence context for prioritization, not as proof of current activity or attribution in a local incident.
Mitigation priorities
- Start with telemetry assurance: confirm Windows endpoint, DNS, proxy/firewall, and file activity logs are collected, retained, and searchable for incident response.
- Harden outbound access by enforcing egress controls, DNS monitoring, proxy inspection where appropriate, and alerting for unusual destinations or fallback communication behavior.
- Reduce command-and-control usefulness through least privilege, application control where feasible, and restrictions on unnecessary script or command shell execution.
- Protect sensitive data paths with access control, monitoring for staging and bulk movement, and review of scheduled transfer mechanisms.
- Prepare IR playbooks for suspected backdoor activity: isolate affected Windows hosts, preserve endpoint and network evidence, scope DNS/web communications, and assess possible data collection or exfiltration.
Analyst notes and limits
The ATT&CK object identifies Shark as a C#/.NET Windows backdoor and an updated version of Milan, used by HEXANE since at least July 2021. The relationship set is rich enough to guide defensive validation across C2, discovery, collection, exfiltration, and stealth behaviors, but local telemetry is required to determine exposure or activity.
Official detection guidance is not provided. Tactics are not specified on the malware object itself, and several related techniques list platforms beyond Windows; this take treats Windows as the supported Shark platform while using cross-platform technique relationships only as behavioral context. No claim is made about active exploitation, current targeting, attribution in any environment, or guaranteed detection coverage.
Shark
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | Shark can download additional files from its C2 via HTTP or DNS.CitationClearSky Siamesekitten August 2021CitationAccenture Lyceum Targets November 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Shark has the ability to upload files from the compromised host over a DNS or HTTP C2 channel.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Shark can use encrypted and encoded files for C2 configuration.CitationClearSky Siamesekitten August 2021CitationAccenture Lyceum Targets November 2021 |
| Enterprise | T1029 | Scheduled Transfer | Shark can pause C2 communications for a specified time.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1012 | Query Registry | Shark can query `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid` to retrieve the machine GUID.CitationAccenture Lyceum Targets November 2021 |
| Enterprise | T1082 | System Information Discovery | Shark can collect the GUID of a targeted machine.CitationClearSky Siamesekitten August 2021CitationAccenture Lyceum Targets November 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Shark has the ability to use `CMD` to execute commands.CitationClearSky Siamesekitten August 2021CitationAccenture Lyceum Targets November 2021 |
| Enterprise | T1008 | Fallback Channels | Shark can update its configuration to use a different C2 server.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1005 | Data from Local System | Shark can upload files to its C2.CitationClearSky Siamesekitten August 2021CitationAccenture Lyceum Targets November 2021 |
| Enterprise | T1497.001 | System Checks Sub-technique | Shark can stop execution if the screen width of the targeted machine is not over 600 pixels.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Shark binaries have been named `audioddg.pdb` and `Winlangdb.pdb` in order to appear legitimate.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Shark can delete files downloaded to the compromised host.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Shark can extract and decrypt downloaded .zip files.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Shark has the ability to use HTTP in C2 communications.CitationClearSky Siamesekitten August 2021CitationAccenture Lyceum Targets November 2021 |
| Enterprise | T1071.004 | DNS Sub-technique | Shark can use DNS in C2 communications.CitationClearSky Siamesekitten August 2021CitationAccenture Lyceum Targets November 2021 |
| Enterprise | T1074 | Data Staged | Shark has stored information in folders named `U1` and `U2` prior to exfiltration.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | Shark can send DNS C2 communications using a unique domain generation algorithm.CitationClearSky Siamesekitten August 2021CitationAccenture Lyceum Targets November 2021 |
Groups, software, and campaigns
G1001: HEXANE
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 41b1bc9532e8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ClearSky Siamesekitten August 2021
ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
Open source URL -
[2]
Accenture Lyceum Targets November 2021
Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
Open source URL -
[3]
mitre-attack S1019Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.