S1049: SUGARUSH
Analyst context for executives and security teams
SUGARUSH matters because it is described as a small Windows backdoor capable of opening a TCP reverse shell to a hard-coded command-and-control address. For leaders, the practical concern is not just the malware name; it is whether the organization can prove it would see a Windows host creating persistence, checking connectivity, launching command shell activity, and making unusual outbound TCP connections before that access becomes an incident-response problem.
Executive priority
Treat this as a validation case for endpoint and network visibility on Windows systems, especially in environments where operational continuity is critical. The supplied relationship to campaign C0010, which targeted shipping, government, aviation, energy, and healthcare organizations in Israel, makes the behavior relevant to resilience planning and audit evidence: can teams show that outbound C2-like traffic, Windows service persistence, and remote shell execution would be detected, triaged, and contained?
Technical view
ATT&CK provides no official detection text for SUGARUSH, so defenders should build coverage from the supplied behavior and relationships: Windows backdoor activity, reverse shell over TCP, Internet connection discovery, Windows Command Shell execution, non-application-layer or non-standard-port C2, Windows service persistence, and local storage discovery. SOC and IR teams should validate correlations across service creation or modification, cmd.exe execution, connectivity checks, storage enumeration, and outbound TCP sessions to unusual or hard-coded destinations.
Likely telemetry
- Windows process creation and command-line telemetry, especially cmd.exe activity
- Windows service creation, modification, and service configuration telemetry
- Windows Registry evidence for service executable paths or recovery command changes
- Endpoint network connection telemetry for outbound TCP sessions
- Network flow, firewall, proxy, or NDR logs showing unusual destination, port, or protocol patterns
Detection direction
- Do not rely on a malware signature alone; ATT&CK does not provide detection logic for this object.
- Prioritize behavior chaining: new or changed Windows service plus command shell execution plus outbound TCP communication is more meaningful than any one event alone.
- Tune for non-standard port and protocol-port mismatches, while accounting for legitimate remote administration, monitoring agents, and custom business applications.
- Validate that hard-coded C2 behavior would still be visible even if DNS logs are absent or unhelpful.
- Review Internet connection discovery and storage discovery in context, because these actions can be common in administration scripts but more suspicious when near persistence or reverse-shell behavior.
Mitigation priorities
- Confirm egress filtering and network monitoring are enforced for Windows endpoints, especially for unusual outbound TCP destinations and non-standard ports.
- Harden and monitor Windows service creation and modification paths, including least-privilege administration and change control.
- Limit unnecessary command shell use where feasible and ensure command-line logging is available for investigation.
- Maintain endpoint detection coverage on Windows systems with retention sufficient to reconstruct service, process, and network activity.
- Prepare IR playbooks for suspected backdoor access: isolate host, preserve volatile and service configuration evidence, review outbound connections, and scope for related discovery activity.
Analyst notes and limits
This take is based only on the supplied ATT&CK fields and relationships. SUGARUSH is identified as malware S1049 in enterprise ATT&CK, with Windows as the supplied platform and no ATT&CK tactics listed directly on the malware object. The most useful defensive context comes from the related techniques and the C0010 campaign relationship.
Official ATT&CK detection guidance is not provided for SUGARUSH. The supplied data does not include indicators, hashes, C2 addresses, service names, ports, prevalence, or confirmed current activity. Local telemetry, asset criticality, and environment-specific baselines are required to turn this into deployable detection logic.
SUGARUSH
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1680 | Local Storage Discovery | MoonWind can obtain the number of drives on the victim machine.CitationPalo Alto MoonWind March 2017 |
| Enterprise | T1571 | Non-Standard Port | SUGARUSH has used port 4585 for a TCP connection to its C2.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | SUGARUSH has checked for internet connectivity from an infected host before attempting to establish a new TCP connection.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1543.003 | Windows Service Sub-technique | SUGARUSH has created a service named `Service1` for persistence.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | SUGARUSH has used `cmd` for execution on an infected host.CitationMandiant UNC3890 Aug 2022 |
| Enterprise | T1095 | Non-Application Layer Protocol | SUGARUSH has used TCP for C2.CitationMandiant UNC3890 Aug 2022 |
Groups, software, and campaigns
C0010: C0010
C0010 was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. C0010 began by at least late 2020, and was still ongoing as of mid-2022.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f026eca6e4cb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant UNC3890 Aug 2022
Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
Open source URL -
[2]
mitre-attack S1049Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.