S1150: ROADSWEEP
ROADSWEEP is a ransomware that was deployed against Albanian government networks during HomeLand Justice along with the CHIMNEYSWEEP backdoor.[1]
Analyst context for executives and security teams
ROADSWEEP matters because ATT&CK describes it as Windows ransomware used in a disruptive campaign against Albanian government networks. The practical risk is not just file encryption: the supplied relationships show behaviors around discovery, command-shell execution, persistence, service stopping, recovery inhibition, and internal defacement. For leaders, this is a continuity and recovery-readiness problem as much as a malware problem.
Executive priority
Prioritize validation of ransomware resilience on Windows environments: protected recovery paths, visibility into endpoint and service changes, and evidence that SOC and IR teams can identify pre-impact behaviors before encryption or defacement occurs. Because ATT&CK provides no official detection guidance for ROADSWEEP, executives should ask whether coverage is mapped to the related techniques rather than to a single malware name or indicator set.
Technical view
Treat ROADSWEEP coverage as a Windows ransomware behavior-validation exercise. Confirm monitoring for Windows command shell execution, file and directory discovery, local storage and peripheral discovery, registry Run Key or Startup Folder persistence, file deletion, deobfuscation or encoded artifacts, service stop activity, recovery inhibition, data encryption for impact, code-signing metadata, inter-process communication abuse, execution guardrail-like checks, and internal defacement indicators. Relationship context to HomeLand Justice should be used for campaign scoping, but detection should remain behavior-based because the official object does not provide detections or aliases.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and child-process context
- File system telemetry for bulk file access, deletion, renaming, encryption-like modification, and suspicious writes
- Windows registry monitoring for Run Keys and Startup Folder persistence locations
- Service control events showing service stop or disable activity
- Recovery-related events and command activity associated with disabling or deleting recovery options, including shadow-copy or backup-related changes where collected
Detection direction
- Build detections from the related ATT&CK techniques rather than relying on ROADSWEEP-specific signatures, because official detection content is not supplied.
- Correlate sequences: discovery of files/storage, command-shell execution, persistence via Run Keys or Startup Folder, service stops, recovery inhibition, and rapid file modification or encryption-like behavior.
- Tune false positives for administrative scripts, software deployment tools, backup agents, and legitimate maintenance that may stop services or enumerate storage.
- Validate visibility for pre-impact actions, especially recovery inhibition and service stop events, since those can determine whether IR can contain before business interruption.
- Review code-signing trust logic: signed binaries should not be treated as automatically benign when other ransomware-like behaviors are present.
Mitigation priorities
- Start with recoverability: maintain protected, tested backups and recovery procedures that are resistant to endpoint-level deletion or tampering.
- Reduce blast radius on Windows systems through least privilege, administrative access control, and segmentation of critical services and file shares.
- Harden and monitor persistence locations such as registry Run Keys and Startup Folders.
- Restrict unnecessary command-shell and administrative utility use where operationally feasible, and require logging for allowed use.
- Protect critical services and recovery mechanisms from unauthorized stop, disable, or deletion actions.
Analyst notes and limits
The strongest decision value comes from the relationship set: ROADSWEEP is associated with impact-heavy ransomware behavior plus discovery, execution, persistence, stealth, and defense-impairment techniques. The HomeLand Justice relationship supplies campaign context, including disruptive activity against Albanian government networks, but local risk assessment still depends on Windows exposure, identity controls, backup architecture, endpoint visibility, and incident-response readiness.
ATT&CK provides no official detection text, no aliases, no labels, and no malware-specific indicators in the supplied fields. The object platform is Windows; related techniques may list broader platforms, but that does not prove ROADSWEEP execution on those platforms. This summary does not assert current activity, customer exposure, specific vulnerabilities, or guaranteed detection coverage.
ROADSWEEP
ROADSWEEP is a ransomware that was deployed against Albanian government networks during HomeLand Justice along with the CHIMNEYSWEEP backdoor.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | ROADSWEEP can use embedded scripts to remove itself from the infected host.CitationMandiant ROADSWEEP August 2022CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | The ROADSWEEP binary contains RC4 encrypted embedded scripts.CitationMandiant ROADSWEEP August 2022CitationCISA Iran Albanian Attacks September 2022CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1553.002 | Code Signing Sub-technique | ROADSWEEP has been digitally signed with a certificate issued to the Kuwait Telecommunications Company KSC.CitationCISA Iran Albanian Attacks September 2022 |
| Enterprise | T1559 | Inter-Process Communication | ROADSWEEP can pipe command output to a targeted process.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1486 | Data Encrypted for Impact | ROADSWEEP can RC4 encrypt content in blocks on targeted systems.CitationMandiant ROADSWEEP August 2022CitationCISA Iran Albanian Attacks September 2022CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1491.001 | Internal Defacement Sub-technique | ROADSWEEP has dropped ransom notes in targeted folders prior to encrypting the files.CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ROADSWEEP can decrypt embedded scripts prior to execution.CitationMandiant ROADSWEEP August 2022CitationCISA Iran Albanian Attacks September 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | ROADSWEEP has been placed in the start up folder to trigger execution upon user login.CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1680 | Local Storage Discovery | ROADSWEEP can enumerate logical drives on targeted devices.CitationMandiant ROADSWEEP August 2022CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1120 | Peripheral Device Discovery | ROADSWEEP can identify removable drives attached to the victim's machine.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1489 | Service Stop | ROADSWEEP can disable critical services and processes.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1480 | Execution Guardrails | ROADSWEEP requires four command line arguments to execute correctly, otherwise it will produce a message box and halt execution.CitationMandiant ROADSWEEP August 2022CitationCISA Iran Albanian Attacks September 2022CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1083 | File and Directory Discovery | ROADSWEEP can enumerate files on infected devices and avoid encrypting files with .exe, .dll, .sys, .lnk, or . lck extensions.CitationMandiant ROADSWEEP August 2022CitationCISA Iran Albanian Attacks September 2022CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1490 | Inhibit System Recovery | ROADSWEEP has the ability to disable `SystemRestore` and Volume Shadow Copies.CitationMandiant ROADSWEEP August 2022CitationCISA Iran Albanian Attacks September 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | ROADSWEEP can open cmd.exe to enable command execution.CitationMandiant ROADSWEEP August 2022CitationMicrosoft Albanian Government Attacks September 2022 |
Groups, software, and campaigns
C0038: HomeLand Justice
HomeLand Justice was a disruptive cyber campaign conducted by Iranian state-affiliated actors against Albanian government networks in July and September 2022. The activity combined ransomware, wiper malware, and data leak operations. Initial access for HomeLand Justice was established as early as May 2021, and threat actors moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the destructive phase of the operation. Responsibility was claimed by the "HomeLand Justice" front, which framed the campaign as retaliation against the Mujahedeen-e Khalq (MEK), an Iranian opposition group with a presence in Albania. Multiple Iran-nexus groups are assessed to have participated in the campaign, including HEXANE who probed victim infrastructure.[1][2][3] A second wave of attacks was launched in September 2022 using similar tactics following public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.[3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d130f0e0ddd1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant ROADSWEEP August 2022
Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
Open source URL -
[2]
mitre-attack S1150Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.