Skip to content


SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during the C0010 campaign. The first known SUGARDUMP version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.1

Item Value
ID S1042
Associated Names
Version 1.0
Created 21 September 2022
Last Modified 04 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols A SUGARDUMP variant has used HTTP for C2.1
enterprise T1071.003 Mail Protocols A SUGARDUMP variant used SMTP for C2.1
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method SUGARDUMP has encrypted collected data using AES CBC mode and encoded it using Base64.1
enterprise T1217 Browser Information Discovery SUGARDUMP has collected browser bookmark and history information.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers SUGARDUMP variants have harvested credentials from browsers such as Firefox, Chrome, Opera, and Edge.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging SUGARDUMP has stored collected data under %<malware_execution_folder>%\\CrashLog.txt.1
enterprise T1041 Exfiltration Over C2 Channel SUGARDUMP has sent stolen credentials and other data to its C2 server.1
enterprise T1083 File and Directory Discovery SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string Profile in its name.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service SUGARDUMP‘s scheduled task has been named MicrosoftInternetExplorerCrashRepoeterTaskMachineUA or MicrosoftEdgeCrashRepoeterTaskMachineUA, depending on the Windows OS version.1
enterprise T1036.005 Match Legitimate Name or Location SUGARDUMP has been named CrashReporter.exe to appear as a legitimate Mozilla executable.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task SUGARDUMP has created scheduled tasks called MicrosoftInternetExplorerCrashRepoeterTaskMachineUA and MicrosoftEdgeCrashRepoeterTaskMachineUA, which were configured to execute CrashReporter.exe during user logon.1
enterprise T1518 Software Discovery SUGARDUMP can identify Chrome, Opera, Edge Chromium, and Firefox browsers, including version number, on a compromised host.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Some SUGARDUMP variants required a user to enable a macro within a malicious .xls file for execution.1