S1084: QUIETEXIT
QUIETEXIT is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by APT29 since at least 2021. APT29 has deployed QUIETEXIT on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.[1]
Analyst context for executives and security teams
QUIETEXIT matters because it targets the kind of network appliances that often sit outside normal endpoint security coverage. MITRE describes it as a Dropbear SSH-based backdoor used by APT29 and deployed on opaque appliances that typically lack antivirus or EDR. For leaders, the key issue is not just malware removal; it is whether critical network devices are inventoried, monitored, and recoverable enough to support confident incident decisions.
Executive priority
Prioritize this as a resilience and visibility gap for network infrastructure. Ask whether security teams can identify unmanaged or weakly monitored appliances, prove what outbound communications they make, and preserve evidence during an incident. This object also supports budget discussions around network-device logging, egress control, configuration baselines, replacement of unsupported appliances, and audit evidence for privileged infrastructure oversight.
Technical view
ATT&CK provides no dedicated detection text for QUIETEXIT, so SOC and IR teams should validate coverage through its supported platform and relationships: Network Devices, command-and-control behaviors using application-layer protocols, non-application-layer protocols, fallback channels, external proxying, and stealth through legitimate-looking names or locations. Detection engineering should focus on abnormal SSH-like services or Dropbear-related artifacts where device access allows, unexpected listening services, unusual outbound sessions from appliances, proxy-like traffic patterns, and changes to appliance file/configuration locations that resemble legitimate resources.
Likely telemetry
- Network appliance inventory, model, firmware, and configuration backups
- Firewall, proxy, NetFlow/IPFIX, DNS, and egress connection metadata for network devices
- Device management-plane logs, authentication logs, and administrative command/configuration logs where available
- Evidence of listening services, SSH/Dropbear-related binaries or processes, and unexpected local file locations on appliances where collection is supported
- Network IDS/NDR observations for application-layer and non-application-layer command-and-control patterns
Detection direction
- Confirm whether network devices are included in monitoring scope; many appliances may not support AV or EDR, which is a central blind spot for this malware family.
- Baseline normal outbound destinations, protocols, ports, and session timing for appliances, then tune alerts for unusual external proxy behavior, fallback communications, or unexpected application/non-application protocol use.
- Correlate appliance-originated traffic with configuration and management-plane changes to reduce false positives from legitimate maintenance, firmware updates, or vendor support activity.
- Review device file paths, service names, and configuration locations for resources that match or approximate legitimate names, consistent with the related masquerading technique.
- Because MITRE provides no official detection guidance, validate detections against local device capabilities rather than assuming endpoint-style coverage exists.
Mitigation priorities
- Start with complete inventory and ownership of network appliances, especially opaque devices that lack endpoint security tooling.
- Restrict and monitor egress from appliances; allow only required destinations and protocols where operationally feasible.
- Harden management access with least privilege, strong authentication, segmentation, and controlled administrative paths.
- Maintain firmware/configuration baselines and backup known-good configurations to support rapid comparison and recovery.
- Plan incident response procedures for appliances, including evidence preservation, replacement/reimage criteria, and coordination with vendors when host-level visibility is limited.
Analyst notes and limits
The relationship context links QUIETEXIT to APT29 and to command-and-control and stealth techniques, but the object itself has no ATT&CK tactics listed and no official detection section. Treat this as a visibility and infrastructure-control problem centered on network devices rather than a conventional endpoint malware use case.
This take uses only the supplied ATT&CK fields and relationships. It does not establish current activity, customer exposure, specific indicators, or guaranteed detection logic. Local appliance models, logging capabilities, traffic baselines, and configuration evidence are required to assess real coverage.
QUIETEXIT
QUIETEXIT is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by APT29 since at least 2021. APT29 has deployed QUIETEXIT on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1090.002 | External Proxy Sub-technique | QUIETEXIT can proxy traffic via SOCKS.CitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1008 | Fallback Channels | QUIETEXIT can attempt to connect to a second hard-coded C2 if the first hard-coded C2 address fails.CitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1095 | Non-Application Layer Protocol | QUIETEXIT can establish a TCP connection as part of its initial connection to the C2.CitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1071 | Application Layer Protocol | QUIETEXIT can use an inverse negotiated SSH connection as part of its C2.CitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | fadf326cdbfa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant APT29 Eye Spy Email Nov 22
Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
Open source URL -
[2]
mitre-attack S1084Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.