Skip to content

G0039 Suckfly

Suckfly is a China-based threat group that has been active since at least 2014. 1

Item Value
ID G0039
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Several tools used by Suckfly have been command-line driven.2
enterprise T1046 Network Service Discovery Suckfly the victim’s internal network for hosts with ports 8080, 5900, and 40 open.2
enterprise T1003 OS Credential Dumping Suckfly used a signed credential-dumping tool to obtain victim account credentials.2
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Suckfly has used stolen certificates to sign its malware.1
enterprise T1078 Valid Accounts Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner.2

Software

ID Name References Techniques
S0118 Nidiran 12 Windows Service:Create or Modify System Process Ingress Tool Transfer Masquerade Task or Service:Masquerading

References