Skip to main content
Mallory
Back to threat actors
1 malware family

Suckfly

Also known asSuckfly

Suckfly is a threat actor referenced in the provided content as using command-line driven tools, stolen certificates to sign malware, credential dumping, valid accounts, and network service discovery. The content states that several tools used by Suckfly were command-line driven, aligning with Windows Command Shell activity (T1059.003). It also states that Suckfly used stolen certificates to sign its malware. For credential access, the content links Suckfly to OS Credential Dumping (T1003) and states that it used dumped legitimate account credentials to navigate victim internal networks as though it were the legitimate account owner, corresponding to Valid Accounts (T1078). For discovery, the content links Suckfly to Network Service Discovery (T1046) and states that it scanned victim internal networks for hosts with ports 8080, 5900, and 40 open. No additional aliases, sub-groups, or attribution details are directly provided in the content beyond the name Suckfly.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

20 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics29 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
T1595.002×3
Vulnerability Scanning
TA0001
Initial Access
1 technique
T1078×22
Valid Accounts
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.003×6
Windows Command Shell
TA0003
Persistence
4 techniques
T1078×22
Valid Accounts
T1098×3
Account Manipulation
T1112
Modify Registry
T1136
Create Account
T1136.001
Local Account
TA0004
Privilege Escalation
2 techniques
T1078×22
Valid Accounts
T1098×3
Account Manipulation
TA0005
Stealth
2 techniques
T1070
Indicator Removal
T1070.003
Clear Command History
T1078×22
Valid Accounts
TA0112
Defense Impairment
2 techniques
T1112
Modify Registry
T1553
Subvert Trust Controls
T1553.002×2
Code Signing
TA0006
Credential Access
4 techniques
T1003×6
OS Credential Dumping
T1110
Brute Force
T1552
Unsecured Credentials
T1621
Multi-Factor Authentication Request Generation
TA0007
Discovery
3 techniques
T1018
Remote System Discovery
T1046×10
Network Service Discovery
T1082
System Information Discovery
TA0008
Lateral Movement
1 technique
T1550
Use Alternate Authentication Material
TA0011
Command and Control
3 techniques
T1090
Proxy
T1219
Remote Access Tools
T1572
Protocol Tunneling
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Brute Ratel C4This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.1Mar 17, 2026
ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
Apr 13, 2026
Detection: Windows Azure PowerShell Module Installation Via PowerShell Script | Splunk Security Content

Listed as a threat actor associated with Azure Active Directory account takeover, persistence, privilege escalation, and related cloud-focused post-compromise activity detected via PowerShell module installation.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows File Association Modification via Ftype | Splunk Security Content

Listed as a threat actor associated with Windows Command Shell execution behavior relevant to this detection.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows LAPS Password Gathering Via PowerShell Script | Splunk Security Content

Referenced as a threat actor associated with credential access behavior, specifically techniques involving unsecured credentials and OS credential dumping in the context of LAPS password gathering via PowerShell.

Read more
splunk researchNews
Feb 25, 2026
Detection: ASL AWS SAML Update identity provider | Splunk Security Content

Listed as a threat actor associated with the Valid Accounts technique in the context of AWS SAML provider update detection and potential federated credential abuse.

Read more
+51 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping20

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.

Suckfly | Mallory