S1076: QUIETCANARY
QUIETCANARY is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.[1]
Analyst context for executives and security teams
QUIETCANARY matters because it is a Windows .NET backdoor associated in ATT&CK with data gathering and exfiltration from victim networks. For leaders, the practical issue is not only malware presence, but whether the organization can prove it would notice a Windows host quietly discovering local/network configuration, staging data, and communicating over web-like encrypted or encoded channels.
Executive priority
Prioritize validation of endpoint, network, and data-loss visibility for Windows systems that handle sensitive operations or regulated information. Because ATT&CK provides no official detection guidance for this malware, coverage should be demonstrated through evidence: process behavior, registry access, outbound web protocol monitoring, staged data indicators, and incident response playbooks for suspected backdoor-driven exfiltration. The C0026 relationship also makes campaign-context threat intelligence useful, but local exposure and risk require environment-specific assessment.
Technical view
SOC and IR teams should validate behavior-based coverage around the related ATT&CK techniques: Windows Registry queries, system/network configuration discovery, Native API use, hidden windows, decoding/deobfuscation, data staging, and C2 over web protocols with standard encoding and symmetric cryptography. Since the object is described as a .NET Windows backdoor, defenders should confirm visibility into .NET process execution, child processes, unusual registry reads, file staging locations, and outbound HTTP/S-like traffic from uncommon processes. Treat detections as behavioral hypotheses rather than signature guarantees because MITRE does not provide official detection logic for QUIETCANARY.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Registry access/query events
- File creation, modification, and bulk copy activity that may indicate data staging
- Network connection logs, proxy logs, DNS logs, and HTTP/S metadata
- Endpoint security alerts for hidden-window execution, deobfuscation, or unusual .NET activity
Detection direction
- Build or validate analytics that correlate discovery behavior with later staging and outbound web-protocol communications.
- Look for unusual registry querying and system/network configuration discovery by non-administrative or unexpected processes.
- Tune for false positives from legitimate administration tools, software inventory, EDR agents, and management scripts.
- Review outbound HTTP/S-like traffic from uncommon Windows processes, especially where encoded or encrypted payload patterns reduce content visibility.
- Confirm whether logging captures enough endpoint and network context to investigate C2 and exfiltration-like behavior despite encryption or standard encoding.
Mitigation priorities
- Ensure Windows endpoint logging and EDR coverage are enabled on systems with sensitive data or operational importance.
- Restrict unnecessary outbound web traffic and require proxy/DNS visibility where feasible.
- Apply least-privilege controls to limit data access and reduce the value of compromised endpoints.
- Maintain incident response procedures for suspected backdoors, including host isolation, memory/disk collection, credential review, and egress analysis.
- Validate data staging and exfiltration controls through tabletop or detection testing rather than relying on malware-name matching.
Analyst notes and limits
The strongest defensive value comes from mapping QUIETCANARY to observable behaviors across discovery, collection, stealth, and command-and-control. The supplied ATT&CK object identifies it as a Windows .NET backdoor used since at least 2022 to gather and exfiltrate data, and relates it to campaign C0026 and several techniques. No official ATT&CK detection text is provided, so defensive recommendations should be validated against local telemetry.
This take uses only the supplied ATT&CK fields, external references, and relationships. It does not assert active exploitation, victim exposure, attribution, guaranteed detection, or platforms beyond the supplied Windows platform for the malware object. Technique details are relationship-driven and require local evidence to confirm relevance.
QUIETCANARY
QUIETCANARY is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | QUIETCANARY can RC4 encrypt C2 communications.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | QUIETCANARY can use a custom parsing routine to decode the command codes and additional parameters from the C2 before executing them.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1016 | System Network Configuration Discovery | QUIETCANARY can identify the default proxy setting on a compromised host.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | QUIETCANARY can execute processes in a hidden window.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1074 | Data Staged | QUIETCANARY has the ability to stage data prior to exfiltration.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1106 | Native API | QUIETCANARY can call `System.Net.HttpWebRequest` to identify the default proxy configured on the victim computer.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | QUIETCANARY can use HTTPS for C2 communications.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1012 | Query Registry | QUIETCANARY has the ability to retrieve information from the Registry.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | QUIETCANARY can base64 encode C2 communications.CitationMandiant Suspected Turla Campaign February 2023 |
Groups, software, and campaigns
C0026: C0026
C0026 was a campaign identified in September 2022 that included the selective distribution of KOPILUWAK and QUIETCANARY malware to previous ANDROMEDA malware victims in Ukraine through re-registered ANDROMEDA C2 domains. Several tools and tactics used during C0026 were consistent with historic Turla operations.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b080d2a73ed9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Suspected Turla Campaign February 2023
Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
Open source URL -
[2]
Tunnus
(Citation: Mandiant Suspected Turla Campaign February 2023)
-
[3]
mitre-attack S1076Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.