Home
Software
SUGARUSH

SUGARUSH

SUGARUSH is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address.SUGARUSH was first identified during analysis of UNC3890'sC0010 campaign targeting Israeli companies, which began in late 2020.^[1]

ID: S1049

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 04 October 2022

Last Modified: 22 October 2025

Version Permalink

Live Version

Enterprise Layer

download view

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter:Windows Command Shell	SUGARUSH has used`cmd` for execution on an infected host.^[1]
Enterprise	T1543	.003	Create or Modify System Process:Windows Service	SUGARUSH has created a service named`Service1` for persistence.^[1]
Enterprise	T1680		Local Storage Discovery	MoonWind can obtain the number of drives on the victim machine.^[2]
Enterprise	T1095		Non-Application Layer Protocol	SUGARUSH has used TCP for C2.^[1]
Enterprise	T1571		Non-Standard Port	SUGARUSH has used port 4585 for a TCP connection to its C2.^[1]
Enterprise	T1016	.001	System Network Configuration Discovery:Internet Connection Discovery	SUGARUSH has checked for internet connectivity from an infected host before attempting to establish a new TCP connection.^[1]

Campaigns

ID	Name	Description
C0010	C0010	^[1]

References

Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.

Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.

Movatterモバイル変換

SUGARUSH

Enterprise Layer

Techniques Used

Campaigns

References