S1035: Small Sieve
Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.[1][2]
Security researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.[3]
Analyst context for executives and security teams
Small Sieve matters because it represents a Windows backdoor that can use a legitimate external web service, Telegram Bot API, for command-and-control. For leaders, the practical issue is not only the malware name; it is whether the organization can see script-based execution, suspicious persistence, and outbound web-service traffic that may blend into normal HTTPS activity.
Executive priority
Treat this as a validation case for Windows endpoint visibility, egress governance, and incident response readiness. The supplied ATT&CK relationships show discovery, command execution, persistence through Run Keys or Startup Folder, tool transfer, obfuscation, encoding, and encrypted C2 behaviors. Leaders should ask whether SOC coverage can connect those behaviors into an incident narrative, whether business-approved use of Telegram or similar services is governed, and whether audit evidence exists for endpoint logging, startup persistence monitoring, and outbound traffic control.
Technical view
Small Sieve is described by ATT&CK as a Telegram Bot API-based Python backdoor distributed using an NSIS installer and used by MuddyWater. It is associated with Windows and relationships to Windows Command Shell, Python execution, web protocols, bidirectional web-service C2, ingress tool transfer, non-standard encoding, asymmetric cryptography, discovery of users and network configuration, execution guardrails, obfuscated information, masquerading by legitimate-looking resource names or locations, and Registry Run Key or Startup Folder persistence. SOC and IR teams should validate behavior-based detections around unusual Python or cmd.exe activity, suspicious installer-spawned process chains, new user-context startup entries, and outbound web-service communications that coincide with discovery or tool-transfer activity.
Likely telemetry
- Windows process creation telemetry for cmd.exe, python.exe, Python-compiled executables, installers, and child-process chains
- Command-line arguments showing user or network configuration discovery activity
- Windows Registry monitoring for Run Key changes and Startup Folder file creation
- Endpoint file creation and modification events, especially scripts, installer artifacts, obfuscated files, and files placed in legitimate-looking locations
- Network proxy, DNS, firewall, and TLS metadata for outbound web traffic to external web services, including Telegram-related infrastructure where locally relevant
Detection direction
- Because ATT&CK provides no official detection text for this object, prioritize behavior correlation over malware-name matching.
- Tune detections for suspicious Python and Windows Command Shell execution, especially when spawned from installers or from unusual user-writable paths.
- Monitor Run Keys and Startup Folder persistence with allowlists for approved software updaters and business applications to reduce false positives.
- Review egress visibility for legitimate web services used as C2 channels; permitted HTTPS alone should not be treated as benign without process and destination context.
- Look for sequences: installer execution, file placement or masquerading, persistence creation, discovery commands, and outbound web-service communication.
Mitigation priorities
- Inventory where Python and script execution are required on Windows endpoints, then restrict or monitor interpreter use where it is not business-justified.
- Harden persistence points by monitoring and controlling Registry Run Keys and Startup Folder changes.
- Apply egress controls and logging for external web services, including a policy decision on Telegram or similar platforms based on business need.
- Use endpoint protection and application control policies to reduce execution from user-writable or untrusted installer locations.
- Ensure incident response playbooks cover triage of script-based backdoors, startup persistence, outbound web-service C2, and tool-transfer evidence.
Analyst notes and limits
The relationship context is especially useful for defensive planning: Small Sieve is not just a single file to block, but a cluster of behaviors spanning execution, persistence, discovery, stealth, and command-and-control. Its use of a legitimate web service makes network-only detection weaker unless paired with endpoint process context. The ATT&CK relationship to MuddyWater provides threat context, but defensive decisions should still be based on local exposure, telemetry quality, and business-approved service use.
The supplied ATT&CK object does not include official detection guidance, aliases, labels, or explicit tactics for the malware object itself. Related technique descriptions include platforms beyond Windows, but the Small Sieve object platform is Windows; platform claims here are therefore limited to Windows for this malware. No specific indicators, hashes, domains, or guaranteed detection logic are provided in the supplied fields.
Small Sieve
Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.[1][2]
Security researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.[3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Small Sieve can use `cmd.exe` to execute commands on a victim's system.CitationNCSC GCHQ Small Sieve Jan 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Small Sieve has the ability to download files.CitationNCSC GCHQ Small Sieve Jan 2022 |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | Small Sieve can use a custom hex byte swapping encoding scheme to obfuscate tasking traffic.CitationDHS CISA AA22-055A MuddyWater February 2022CitationNCSC GCHQ Small Sieve Jan 2022 |
| Enterprise | T1480 | Execution Guardrails | Small Sieve can only execute correctly if the word `Platypus` is passed to it on the command line.CitationNCSC GCHQ Small Sieve Jan 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | Small Sieve can obtain the IP address of a victim host.CitationNCSC GCHQ Small Sieve Jan 2022 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Small Sieve can use SSL/TLS for its HTTPS Telegram Bot API-based C2 channel.CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1059.006 | Python Sub-technique | Small Sieve can use Python scripts to execute commands.CitationNCSC GCHQ Small Sieve Jan 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Small Sieve has the ability to add itself to `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift` for persistence.CitationNCSC GCHQ Small Sieve Jan 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Small Sieve can use variations of Microsoft and Outlook spellings, such as "Microsift", in its file names to avoid detection.CitationNCSC GCHQ Small Sieve Jan 2022 |
| Enterprise | T1027 | Obfuscated Files or Information | Small Sieve has the ability to use a custom hex byte swapping encoding scheme combined with an obfuscated Base64 function to protect program strings and Telegram credentials.CitationNCSC GCHQ Small Sieve Jan 2022 |
| Enterprise | T1033 | System Owner/User Discovery | Small Sieve can obtain the id of a logged in user.CitationNCSC GCHQ Small Sieve Jan 2022 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | Small Sieve has the ability to use the Telegram Bot API from Telegram Messenger to send and receive messages.CitationNCSC GCHQ Small Sieve Jan 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Small Sieve can contact actor-controlled C2 servers by using the Telegram API over HTTPS.CitationDHS CISA AA22-055A MuddyWater February 2022 |
Groups, software, and campaigns
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 956f2959222f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
DHS CISA AA22-055A MuddyWater February 2022
FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
Open source URL -
[2]
NCSC GCHQ Small Sieve Jan 2022
NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
Open source URL -
[3]
Mandiant UNC3313 Feb 2022
Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.
Open source URL -
[4]
GRAMDOOR
(Citation: Mandiant UNC3313 Feb 2022)
-
[5]
mitre-attack S1035Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.