Skip to content


SUGARUSH is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. SUGARUSH was first identified during analysis of UNC3890’s C0010 campaign targeting Israeli companies, which began in late 2020.1

Item Value
ID S1049
Associated Names
Version 1.0
Created 04 October 2022
Last Modified 04 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell SUGARUSH has used cmd for execution on an infected host.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service SUGARUSH has created a service named Service1 for persistence.1
enterprise T1095 Non-Application Layer Protocol SUGARUSH has used TCP for C2.1
enterprise T1571 Non-Standard Port SUGARUSH has used port 4585 for a TCP connection to its C2.1
enterprise T1016 System Network Configuration Discovery -
enterprise T1016.001 Internet Connection Discovery SUGARUSH has checked for internet connectivity from an infected host before attempting to establish a new TCP connection.1