SUGARUSH is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. SUGARUSH was first identified during analysis of UNC3890's C0010 campaign targeting Israeli companies, which began in late 2020.[1]

ID: S1049
Platforms: Windows
Version: 1.0
Created: 04 October 2022
Last Modified: 04 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

SUGARUSH has used cmd for execution on an infected host.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

SUGARUSH has created a service named Service1 for persistence.[1]

Enterprise T1095 Non-Application Layer Protocol

SUGARUSH has used TCP for C2.[1]

Enterprise T1571 Non-Standard Port

SUGARUSH has used port 4585 for a TCP connection to its C2.[1]

Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

SUGARUSH has checked for internet connectivity from an infected host before attempting to establish a new TCP connection.[1]


ID Name Description
C0010 C0010