Suckfly is a China-based threat group that has been active since at least 2014. [1]

ID: G0039
Version: 1.0

Techniques Used

EnterpriseT1116Code SigningSuckfly has used stolen certificates to sign its malware.[1]
EnterpriseT1059Command-Line InterfaceSeveral tools used by Suckfly have been command-line driven.[2]
EnterpriseT1003Credential DumpingSuckfly used a signed credential-dumping tool to obtain victim account credentials.[2]
EnterpriseT1046Network Service ScanningSuckfly the victim's internal network for hosts with ports 8080, 5900, and 40 open.[2]
EnterpriseT1078Valid AccountsSuckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner.[2]


S0118Nidiran[1][2]Commonly Used Port, Masquerading, New Service, Remote File Copy, Standard Cryptographic Protocol