Group description: Suckfly

Suckfly, Group G0039 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Suckfly Suckfly Suckfly is a China-based threat group that has been active since at least 2014. [1] ID:  G0039 Version : 1.1 Created:  31 May 2017 Last Modified:  16 April 2025 Version Permalink Live Version ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1059 .003 Command and Scripting Interpreter : Windows Command Shell Several tools used by Suckfly have been command-line driven. [2] Enterprise T1046 Network Service Discovery Suckfly the victim's internal network for hosts with ports 8080, 5900, and 40 open. [2] Enterprise T1003 OS Credential Dumping Suckfly used a signed credential-dumping tool to obtain victim account credentials. [2] Enterprise T1553 .002 Subvert Trust Controls : Code Signing Suckfly has used stolen certificates to sign its malware. [1] Enterprise T1078 Valid Accounts Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner. [2] Software ID Name References Techniques S0118 Nidiran [1] [2] Create or Modify System Process : Windows Service , Ingress Tool Transfer , Masquerading : Masquerade Task or Service References DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016. DiMaggio, J. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016. × load more results