QUIETCANARY is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.[1]

ID: S1076
Associated Software: Tunnus
Platforms: Windows
Contributors: Yoshihiro Kori, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India
Version: 1.0
Created: 19 May 2023
Last Modified: 25 July 2023

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

QUIETCANARY can use HTTPS for C2 communications.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

QUIETCANARY can base64 encode C2 communications.[1]

Enterprise T1074 Data Staged

QUIETCANARY has the ability to stage data prior to exfiltration.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

QUIETCANARY can use a custom parsing routine to decode the command codes and additional parameters from the C2 before executing them.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

QUIETCANARY can RC4 encrypt C2 communications.[1]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

QUIETCANARY can execute processes in a hidden window.[1]

Enterprise T1106 Native API

QUIETCANARY can call System.Net.HttpWebRequest to identify the default proxy configured on the victim computer.[1]

Enterprise T1012 Query Registry

QUIETCANARY has the ability to retrieve information from the Registry.[1]

Enterprise T1016 System Network Configuration Discovery

QUIETCANARY can identify the default proxy setting on a compromised host.[1]


ID Name Description
C0026 C0026

During C0026, the threat actors used QUIETCANARY to gather and exfiltrate data. [1]