Skip to content

S0686 QuietSieve

QuietSieve is an information stealer that has been used by Gamaredon Group since at least 2021.1

Item Value
ID S0686
Associated Names
Version 1.0
Created 18 February 2022
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols QuietSieve can use HTTPS in C2 communications.1
enterprise T1005 Data from Local System QuietSieve can collect files from a compromised host.1
enterprise T1083 File and Directory Discovery QuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z.1
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window QuietSieve has the ability to execute payloads in a hidden window.1
enterprise T1105 Ingress Tool Transfer QuietSieve can download and execute payloads on a target host.1
enterprise T1135 Network Share Discovery QuietSieve can identify and search networked drives for specific file name extensions.1
enterprise T1120 Peripheral Device Discovery QuietSieve can identify and search removable drives for specific file name extensions.1
enterprise T1113 Screen Capture QuietSieve has taken screenshots every five minutes and saved them to the user’s local Application Data folder under Temp\SymbolSourceSymbols\icons or Temp\ModeAuto\icons.1
enterprise T1016 System Network Configuration Discovery -
enterprise T1016.001 Internet Connection Discovery QuietSieve can check C2 connectivity with a ping to (Google public DNS).1

Groups That Use This Software

ID Name References
G0047 Gamaredon Group 1