Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1163: SnappyTCP

SnappyTCP is a web shell used by Sea Turtle between 2021 and 2023 against multiple victims. SnappyTCP appears to be based on a public GitHub project that has since been removed from the code-sharing site. SnappyTCP includes a simple reverse TCP shell for Linux and Unix environments with basic command and control capabilities.[1]

EnterpriseS1163MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

SnappyTCP matters because it represents a Linux/Unix-oriented web shell with reverse TCP command-and-control capability. In practical terms, this is the kind of software that can turn an exposed or compromised web server into a foothold for remote command execution and continued access. The ATT&CK relationship to Sea Turtle adds decision value for organizations with internet-facing Linux web infrastructure, DNS-related services, or service-provider dependencies, but the supplied data does not support assuming current exposure or active exploitation.

Executive priority

Prioritize this as a resilience and assurance issue for Linux web servers and externally reachable services. Leaders should ask whether teams can prove which web servers are exposed, whether file integrity and web application monitoring are in place, whether outbound network paths from those servers are restricted, and whether incident responders can rapidly investigate suspected web shell activity. For audit and risk discussions, the key evidence is not a SnappyTCP-specific signature; it is demonstrable coverage for web shell persistence, Unix shell execution, and command-and-control over web or non-application-layer network channels.

Technical view

ATT&CK lists SnappyTCP as Linux malware and describes it as a web shell with a simple reverse TCP shell for Linux and Unix environments. It is related to Web Shell persistence, Unix Shell execution, Web Protocols, Non-Application Layer Protocol command and control, and Asymmetric Cryptography. SOC and IR teams should validate visibility on Linux web server processes, web-accessible file changes, shell execution spawned by web server accounts, unusual outbound connections from web tiers, and encrypted or otherwise opaque C2-like sessions. Because MITRE provides no official detection text for this object, detection engineering should be behavior-led and mapped to the related techniques rather than relying only on named-malware indicators.

Likely telemetry

  • Linux process execution logs, especially shell processes launched by web server or application service accounts
  • Web server access and error logs for unusual requests, parameters, upload activity, or administrative paths
  • File integrity or endpoint telemetry covering web roots, application directories, temporary directories, and script locations
  • Network connection telemetry from Linux web servers, including outbound TCP sessions and unusual destinations or ports
  • Proxy, firewall, DNS, and flow logs that show web server egress behavior

Detection direction

  • Validate behavior-based detections for web server processes spawning Unix shells or command interpreters.
  • Tune alerts for unexpected executable or script files written into web-accessible directories, while accounting for legitimate application deployments.
  • Baseline outbound network behavior from Linux web servers and alert on new, rare, or policy-violating reverse TCP-style connections.
  • Correlate web requests with near-time host activity, such as file creation followed by shell execution or outbound connections.
  • Review monitoring gaps for encrypted C2-like traffic and non-application-layer protocols where content inspection is limited.

Mitigation priorities

  • Reduce internet-facing attack surface on Linux web and application servers and enforce strong change control for web content paths.
  • Restrict outbound egress from web tiers to approved destinations and protocols so reverse shell behavior is harder to sustain.
  • Apply least privilege to web server and application service accounts to limit shell execution and file write impact.
  • Maintain file integrity monitoring and deployment allowlists for web roots and application directories.
  • Ensure Linux server logging, EDR or auditd-style process telemetry, and network flow collection are retained long enough for incident response.
Analyst notes and limits

The most useful defensive framing is behavior-centered: SnappyTCP is a named example of a Linux/Unix web shell with reverse TCP C2, and its ATT&CK relationships point to the controls and telemetry that decide coverage. Organizations operating DNS, registrar, hosting, or other service-provider infrastructure may want to prioritize review because the related Sea Turtle group description includes service-provider and DNS-focused compromise activity; however, local relevance depends on actual assets and exposure.

MITRE does not provide official detection guidance, aliases, labels, or malware-specific indicators in the supplied fields. The malware object’s own tactics are not specified, so tactic-level guidance is inferred only from the supplied ATT&CK relationships to techniques. No claims are made about current exploitation, customer exposure, or guaranteed detectability.

Official MITRE ATT&CK definition

SnappyTCP

SnappyTCP is a web shell used by Sea Turtle between 2021 and 2023 against multiple victims. SnappyTCP appears to be based on a public GitHub project that has since been removed from the code-sharing site. SnappyTCP includes a simple reverse TCP shell for Linux and Unix environments with basic command and control capabilities.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1059.004 Unix Shell Sub-technique

SnappyTCP creates the reverse shell using a pthread spawning a bash shell.CitationPWC Sea Turtle 2023
Enterprise T1071.001 Web Protocols Sub-technique

SnappyTCP connects to the command and control server via a TCP socket using HTTP.CitationPWC Sea Turtle 2023
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

SnappyTCP can use OpenSSL and TLS certificates to encrypt traffic.CitationPWC Sea Turtle 2023
Enterprise T1505.003 Web Shell Sub-technique

SnappyTCP is a reverse TCP shell with command and control capabilities used for persistence purposes.CitationPWC Sea Turtle 2023
Enterprise T1095 Non-Application Layer Protocol

SnappyTCP spawns a reverse TCP shell following an HTTP-based negotiation.CitationPWC Sea Turtle 2023
Associated objects

Groups, software, and campaigns

Group Enterprise

G1041: Sea Turtle

Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Technique T1059.004: Unix Shell Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Group G1041: Sea Turtle Enterprise uses · Technique T1505.003: Web Shell Enterprise uses · Technique T1095: Non-Application Layer Protocol Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b1abfe4ab91a63a5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b1abfe4ab91a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    PWC Sea Turtle 2023

    PwC Threat Intelligence. (2023, December 5). The Tortoise and The Malware. Retrieved November 20, 2024.

    Open source URL
  2. [2]
    mitre-attack S1163
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use