Skip to content

Hide Navigation Hide TOC

QUIETEXIT - S1084 (4816d361-f82b-4a18-aa05-b215e7cf9200)

QUIETEXIT is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by APT29 since at least 2021. APT29 has deployed QUIETEXIT on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.(Citation: Mandiant APT29 Eye Spy Email Nov 22)

Cluster A Galaxy A Cluster B Galaxy B Level
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern QUIETEXIT - S1084 (4816d361-f82b-4a18-aa05-b215e7cf9200) Malware 1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern QUIETEXIT - S1084 (4816d361-f82b-4a18-aa05-b215e7cf9200) Malware 1
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern QUIETEXIT - S1084 (4816d361-f82b-4a18-aa05-b215e7cf9200) Malware 1
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern QUIETEXIT - S1084 (4816d361-f82b-4a18-aa05-b215e7cf9200) Malware 1
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern QUIETEXIT - S1084 (4816d361-f82b-4a18-aa05-b215e7cf9200) Malware 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2