S1084 QUIETEXIT
QUIETEXIT is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by APT29 since at least 2021. APT29 has deployed QUIETEXIT on opaque network appliances that typically don’t support antivirus or endpoint detection and response tools within a victim environment.1
| Item | Value |
|---|---|
| ID | S1084 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 August 2023 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | QUIETEXIT can use an inverse negotiated SSH connection as part of its C2.1 |
| enterprise | T1008 | Fallback Channels | QUIETEXIT can attempt to connect to a second hard-coded C2 if the first hard-coded C2 address fails.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | QUIETEXIT has attempted to change its name to cron upon startup. During incident response, QUIETEXIT samples have been identified that were renamed to blend in with other legitimate files.1 |
| enterprise | T1095 | Non-Application Layer Protocol | QUIETEXIT can establish a TCP connection as part of its initial connection to the C2.1 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.002 | External Proxy | QUIETEXIT can proxy traffic via SOCKS.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 1 |