S1042: SUGARDUMP
SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during the C0010 campaign. The first known SUGARDUMP version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.[1]
Analyst context for executives and security teams
SUGARDUMP matters because it is described as a Windows browser credential harvesting tool, not just generic malware. For leaders, the practical risk is that saved browser credentials can become a shortcut to business applications, internal portals, cloud consoles, and follow-on access. Its related behaviors also show persistence through scheduled tasks, masquerading, local staging, custom archiving, and exfiltration over web or mail-based command-and-control channels.
Executive priority
Prioritize this as an identity and incident-response readiness issue: confirm whether the organization can detect credential theft from browsers, revoke exposed credentials quickly, and investigate suspicious scheduled tasks and outbound HTTP/SMTP-like traffic from Windows endpoints. Sectors named in the related C0010 campaign include shipping, government, aviation, energy, and healthcare, so organizations with operational or regulated environments should treat browser-stored credential exposure as a resilience and audit-evidence concern, not only an endpoint malware concern.
Technical view
ATT&CK provides no official detection text for SUGARDUMP, so defenders should validate coverage through the related techniques: browser credential access (T1555.003), browser information discovery (T1217), scheduled task execution/persistence (T1053.005), masquerading of tasks/services and resources (T1036.004, T1036.005), local staging and custom archiving (T1074.001, T1560.003), discovery activity (T1083, T1518), user execution of malicious files (T1204.002), and C2/exfiltration over web or mail protocols (T1071.001, T1071.003, T1041). Because the object platform is Windows, validation should focus first on Windows endpoint, identity, browser, task scheduler, file-system, and network telemetry.
Likely telemetry
- Windows process creation and command-line telemetry
- Windows Task Scheduler task creation, modification, and execution events
- File creation, rename, and write activity in browser profile and credential storage locations
- Access patterns involving browser data, history, profile, or credential files
- Endpoint alerts for suspicious archiving, encryption, or staging behavior
Detection direction
- Do not rely on a SUGARDUMP-specific signature alone; ATT&CK does not provide detection guidance, so map detections to the related behaviors.
- Hunt for newly created or oddly named scheduled tasks and services, especially those resembling legitimate names or placed in trusted-looking locations.
- Correlate browser credential store access with unusual child processes, staging files, archive-like output, or outbound C2-style traffic.
- Baseline legitimate browser, mail client, and administrative task-scheduler activity to reduce false positives.
- Review outbound web and mail protocol traffic from workstations that normally should not send SMTP/POP3/IMAP traffic directly.
Mitigation priorities
- Reduce the business value of browser credential theft by limiting or disabling saved passwords where appropriate and enforcing managed credential practices.
- Strengthen identity controls such as multi-factor authentication and rapid credential reset procedures for accounts exposed through browsers.
- Restrict and monitor Windows scheduled task creation and modification, especially by non-administrative users or unusual processes.
- Harden egress controls so endpoints cannot freely use unexpected web or mail protocols for command-and-control or exfiltration.
- Improve endpoint prevention and monitoring for suspicious file staging, custom archive-like behavior, and masqueraded task/service names.
Analyst notes and limits
SUGARDUMP is linked by ATT&CK to the C0010 campaign and was reported in variants using SMTP C2 and HTTP C2. The strongest defensive value is in treating it as a credential-access and exfiltration scenario: browser secrets may lead to account compromise even if the initial malware is removed. Local environment validation is required to determine whether browser storage, endpoint logging, scheduled task monitoring, and egress telemetry are sufficient.
The ATT&CK object does not specify tactics directly and provides no official detection text. The supplied data supports Windows as the SUGARDUMP platform and supports related ATT&CK techniques, but it does not prove current activity, customer exposure, or guaranteed detectability. Some related techniques list additional platforms, but platform conclusions for this malware should remain centered on Windows unless local evidence shows otherwise.
SUGARDUMP
SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during the C0010 campaign. The first known SUGARDUMP version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string `Profile` in its name.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | SUGARDUMP variants have harvested credentials from browsers such as Firefox, Chrome, Opera, and Edge.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | SUGARDUMP has sent stolen credentials and other data to its C2 server.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | SUGARDUMP's scheduled task has been named `MicrosoftInternetExplorerCrashRepoeterTaskMachineUA` or `MicrosoftEdgeCrashRepoeterTaskMachineUA`, depending on the Windows OS version.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1518 | Software Discovery | SUGARDUMP can identify Chrome, Opera, Edge Chromium, and Firefox browsers, including version number, on a compromised host.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | SUGARDUMP has been named `CrashReporter.exe` to appear as a legitimate Mozilla executable.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | SUGARDUMP has stored collected data under `% |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | SUGARDUMP has created scheduled tasks called `MicrosoftInternetExplorerCrashRepoeterTaskMachineUA` and `MicrosoftEdgeCrashRepoeterTaskMachineUA`, which were configured to execute `CrashReporter.exe` during user logon.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1217 | Browser Information Discovery | SUGARDUMP has collected browser bookmark and history information.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | A SUGARDUMP variant has used HTTP for C2.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Some SUGARDUMP variants required a user to enable a macro within a malicious .xls file for execution.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | A SUGARDUMP variant used SMTP for C2.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | SUGARDUMP has encrypted collected data using AES CBC mode and encoded it using Base64.CitationMandiant UNC3890 Aug 2022 |
Groups, software, and campaigns
C0010: C0010
C0010 was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. C0010 began by at least late 2020, and was still ongoing as of mid-2022.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9ba1c8ad8c26… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant UNC3890 Aug 2022
Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
Open source URL -
[2]
mitre-attack S1042Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.