MalwareUsed by 1 actor

QuietSieve

QuietSieve is a stealer malware family identified by Microsoft Threat Intelligence Center (MSTIC) in 2022 as distinct from the related loader PowerPunch. The provided content attributes QuietSieve with multiple collection and stealth capabilities on Windows systems. It can execute payloads in a hidden window, check command-and-control connectivity by pinging 8.8.8.8 (Google Public DNS), identify and search removable drives and networked drives for specific file name extensions, and collect files from a compromised host. QuietSieve also performs periodic screen capture, taking screenshots every five minutes and saving them under the user’s local Application Data folder in Temp\SymbolSourceSymbols\icons or Temp\ModeAuto\icons. The content also references the Microsoft detection name Trojan:MSIL/QuietSieve from March 2022. No higher-confidence attribution to a specific threat actor or industry targeting is directly stated in the provided content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Gamaredon Group

In 2022, the Microsoft Threat Intelligence Center (MSTIC) categorised these payloads as distinct families, notably PowerPunch (a loader) and QuietSieve (a stealer).

via sekoia blogblog.sekoia.io

MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

1 technique

T1564.003Hidden WindowEvidence3

Agent Tesla has used ProcessWindowStyle.Hidden to hide windows. APT19 used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. APT28 has used the WindowStyle parameter to conceal PowerShell windows.

Discovery

5 techniques

T1016.001Internet Connection DiscoveryEvidence1

T1049System Network Connections DiscoveryEvidence1

Multiple actors and malware check for internet/network connectivity using ping, tracert, HTTP GET requests, or contacting well-known domains (e.g., google[.]com, bing[.]com, 8.8.8.8) prior to tool transfer or C2 establishment.

T1083File and Directory DiscoveryEvidence4

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

T1120Peripheral Device DiscoveryEvidence3

The content repeatedly describes malware and threat actors identifying, monitoring, or enumerating connected peripheral devices such as USB mass storage, Bluetooth devices, printers, smart card readers, cameras, Apple devices, VGA/display devices, and removable drives.

T1135Network Share DiscoveryEvidence1

Collection

2 techniques

T1005Data from Local SystemEvidence3

The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.

T1113Screen CaptureEvidence2

"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"

Command and Control

2 techniques

T1071.001Web ProtocolsEvidence4

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

T1105Ingress Tool TransferEvidence1

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app

sekoia blogNews

Jun 1, 2026

FSB’s matryoshka #1/3: Inside Gamaredon Cyber Operations

Stealer family name used by MSTIC for a Gamaredon exfiltration component; the report aligns it under the GammaSteel taxonomy.

mitre attack websiteNews

May 1, 2020

System Network Configuration Discovery: Internet Connection Discovery, Sub-technique T1016.001 - Enterprise | MITRE ATT&CK®

Malware that verifies C2/network connectivity by pinging 8.8.8.8.

mitre attack websiteNews

Mar 7, 2018

Peripheral Device Discovery, Technique T1120 - Enterprise | MITRE ATT&CK®

Backdoor that identifies removable drives and searches them for files with specific extensions.

mitre attack websiteNews

Jul 1, 2017

Hide Artifacts: Hidden Window, Sub-technique T1564.003 - Enterprise | MITRE ATT&CK®

Backdoor that executes payloads in hidden windows.

+8 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.