S1149: CHIMNEYSWEEP
CHIMNEYSWEEP is a backdoor malware that was deployed during HomeLand Justice along with ROADSWEEP ransomware, and has been used to target Farsi and Arabic speakers since at least 2012.[1]
Analyst context for executives and security teams
CHIMNEYSWEEP is a Windows backdoor malware entry in ATT&CK. The business significance is that a backdoor represents persistent unauthorized access rather than a one-time alert: if present, incident leaders should assume potential follow-on activity, credential exposure, and broader compromise until endpoint, identity, and network evidence proves otherwise. The ATT&CK record is sparse, so defensive value comes from validating whether Windows endpoint and network monitoring can surface generic backdoor behavior even without a supplied detection analytic.
Executive priority
Prioritize CHIMNEYSWEEP as an incident readiness and control-validation scenario, not as proof of current exposure. Leaders should ask whether Windows endpoint visibility, SOC triage, malware containment, credential reset procedures, and ransomware-adjacent response playbooks are ready, especially because MITRE notes it was deployed during HomeLand Justice alongside ROADSWEEP ransomware. This supports decisions about EDR coverage, log retention, IR runbooks, and evidence needed for audit or resilience reviews.
Technical view
ATT&CK provides Windows as the supported platform but does not specify tactics, techniques, relationships, aliases, or detection guidance. SOC and IR teams should therefore validate generic Windows backdoor detection coverage: suspicious process execution, persistence indicators, unusual parent-child process chains, unexpected outbound connections, command-and-control-like beaconing, file writes in user or system paths, and security control tampering where locally observed. Because no official detection is supplied, detections should be tested against internal baselines and malware-analysis-derived indicators from approved intelligence sources before being operationalized.
Likely telemetry
- Windows endpoint detection and response events
- Windows process creation and command-line logs
- File creation, modification, and quarantine events
- Network connection metadata from Windows hosts
- DNS and proxy logs for outbound destination analysis
Detection direction
- Confirm that Windows hosts in scope are actually sending endpoint, process, file, authentication, DNS, proxy, and network telemetry to the SOC.
- Use behavior-based backdoor hunting where specific ATT&CK detection logic is absent: anomalous persistence, unusual outbound communications, suspicious child processes, and unexpected execution locations.
- Tune detections against normal administrative tools and software update behavior to reduce false positives.
- Review whether ransomware-adjacent escalation paths are covered, given the official description’s association with deployment alongside ROADSWEEP during HomeLand Justice.
- Do not rely on name-based detection alone; the ATT&CK object provides no aliases and no official detection content.
Mitigation priorities
- Maintain broad Windows endpoint protection and centralized logging coverage before focusing on malware-specific content.
- Validate containment procedures for suspected backdoor activity, including host isolation, evidence preservation, credential risk review, and outbound network blocking decisions.
- Ensure incident response playbooks account for possible follow-on activity and ransomware-adjacent risk where a backdoor is found.
- Review least privilege, administrative account monitoring, and access reset procedures for systems implicated in suspected backdoor activity.
- Use approved threat intelligence and malware analysis sources to enrich indicators, since the supplied ATT&CK fields do not provide IOCs or detection analytics.
Analyst notes and limits
The useful operational takeaway is readiness: CHIMNEYSWEEP is documented as a Windows backdoor, and MITRE states it was deployed during HomeLand Justice alongside ROADSWEEP ransomware and has targeted Farsi and Arabic speakers since at least 2012. However, the supplied ATT&CK object does not include tactics, techniques, external references, relationships, or detection text, so local telemetry and vetted intelligence are required to build specific detections.
This take is constrained to the supplied ATT&CK fields. No active exploitation, attribution, victim exposure, specific commands, IOCs, or guaranteed detection coverage can be inferred. Relationship context was not supplied, despite entities mentioned in the official description.
CHIMNEYSWEEP
CHIMNEYSWEEP is a backdoor malware that was deployed during HomeLand Justice along with ROADSWEEP ransomware, and has been used to target Farsi and Arabic speakers since at least 2012.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1074.001 | Local Data Staging Sub-technique | CHIMNEYSWEEP can store captured screenshots to disk including to a covert store named `APPX.%x%x%x%x%x.tmp` where `%x` is a random value.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1480 | Execution Guardrails | CHIMNEYSWEEP can execute a task which leads to execution if it finds a process name containing “creensaver.”CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1218.003 | CMSTP Sub-technique | CHIMNEYSWEEP can use CMSTP.exe to install a malicious Microsoft Connection Manager Profile.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | CHIMNEYSWEEP has executed a script named cln.vbs on compromised hosts.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1027 | Obfuscated Files or Information | CHIMNEYSWEEP can use a custom Base64 alphabet to encode an API decryption key.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | CHIMNEYSWEEP can download additional files from C2.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1120 | Peripheral Device Discovery | CHIMNEYSWEEP can monitor for removable drives.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | CHIMNEYSWEEP can send `HTTP GET` requests to C2.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1106 | Native API | CHIMNEYSWEEP can use Windows APIs including `LoadLibrary` and `GetProcAddress`.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | CHIMNEYSWEEP can extract RC4 encrypted embedded payloads for privilege escalation.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | The CHIMNEYSWEEP installer has been padded with null bytes to inflate its size.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1083 | File and Directory Discovery | CHIMNEYSWEEP has the ability to enumerate directories for files that match a set list.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1115 | Clipboard Data | CHIMNEYSWEEP can capture content from the clipboard.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1005 | Data from Local System | CHIMNEYSWEEP can collect files from compromised hosts.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | CHIMNEYSWEEP can use an embedded RC4 key to decrypt Windows API function strings.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | CHIMNEYSWEEP can use the Windows `SilentCleanup` scheduled task to enable payload execution.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | CHIMNEYSWEEP can upload collected files to the command-and-control server.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | CHIMNEYSWEEP can invoke the PowerShell command `[Reflection.Assembly]::LoadFile(\"%s\")\n$i=\"\"\n$r=[%s]::%s(\"%s\",[ref] $i)\necho $r,$i\n` to execute secondary payloads.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | CHIMNEYSWEEP can use a custom Base64 alphabet for encoding C2.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1033 | System Owner/User Discovery | CHIMNEYSWEEP has included the victim's computer name and username in C2 messages sent to actor-owned infrastructure.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1057 | Process Discovery | CHIMNEYSWEEP can check if a process name contains “creensaver.”CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1056.001 | Keylogging Sub-technique | CHIMNEYSWEEP has the ability to support keylogging.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | CHIMNEYSWEEP is capable of checking whether a compromised device is running DeepFreeze by Faronics.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1529 | System Shutdown/Reboot | CHIMNEYSWEEP can reboot or shutdown the targeted system or logoff the current user.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | CHIMNEYSWEEP can use `LoadLibrary` and `GetProcAddress` to resolve Windows API function strings at run time.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1102 | Web Service | CHIMNEYSWEEP has the ability to use use Telegram channels to return a list of commands to be executed, to download additional payloads, or to create a reverse shell.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1113 | Screen Capture | CHIMNEYSWEEP can capture screenshots on targeted systems using a timer and either upload them or store them to disk.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | CHIMNEYSWEEP can make use of the Windows `SilentCleanup` scheduled task to execute its payload with elevated privileges.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1070.006 | Timestomp Sub-technique | CHIMNEYSWEEP can time stomp its executable, previously dating it between 2010 to 2021.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1112 | Modify Registry | CHIMNEYSWEEP can use the Windows Registry Environment key to change the `%windir%` variable to point to `c:\Windows` to enable payload execution.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1553.002 | Code Signing Sub-technique | CHIMNEYSWEEP has been dropped by a self-extracting archive signed with a valid digital certificate.CitationMandiant ROADSWEEP August 2022 |
Groups, software, and campaigns
C0038: HomeLand Justice
HomeLand Justice was a disruptive cyber campaign conducted by Iranian state-affiliated actors against Albanian government networks in July and September 2022. The activity combined ransomware, wiper malware, and data leak operations. Initial access for HomeLand Justice was established as early as May 2021, and threat actors moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the destructive phase of the operation. Responsibility was claimed by the "HomeLand Justice" front, which framed the campaign as retaliation against the Mujahedeen-e Khalq (MEK), an Iranian opposition group with a presence in Albania. Multiple Iran-nexus groups are assessed to have participated in the campaign, including HEXANE who probed victim infrastructure.[1][2][3] A second wave of attacks was launched in September 2022 using similar tactics following public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.[3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1120bf286eda… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant ROADSWEEP August 2022
Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
Open source URL -
[2]
mitre-attack S1149Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.