QUIETEXIT
QUIETEXIT is a backdoor/tunneling malware used to gain persistent access, evade detection, and communicate with command-and-control infrastructure. Reported capabilities include proxying traffic via SOCKS, establishing a TCP connection during initial C2 setup, and using an inverse negotiated SSH connection for C2 that reverses traditional SSH client-server roles. It can attempt to connect to a second hard-coded C2 address if the primary hard-coded C2 fails. QUIETEXIT has also been observed attempting to change its process name to "cron" on startup, and samples have been renamed to blend in with legitimate files. Public reporting links QUIETEXIT to APT29 phishing campaigns between 2019 and 2022. Mandiant also reported UNC3524 using the QUIETEXIT tunneler to reduce tool deployment and largely live off the land, with likely server-side QUIETEXIT components identified on compromised, internet-exposed LifeSize conference room cameras and in one case a D-Link IP camera. In that reporting, QUIETEXIT-supported operations targeted victim mail environments and enabled long dwell times, with UNC3524 remaining undetected in some environments for up to approximately 18 months. High-confidence behavioral indicators from the content include SOCKS proxying, inverse SSH-based C2, TCP-based initial C2 connectivity, fallback to a secondary hard-coded C2, and masquerading through renaming such as "cron".
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"The threat actor’s use of the QUIETEXIT tunneler allowed them to largely live off the land..."
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique"The C2 systems... primarily legacy conference room camera systems... and... a D-Link IP camera... infected..." and "MITRE ATT&CK... Resource Development... T1584: Compromise Infrastructure"
Initial Access
1 techniqueAPT29 was attributed with sending phishing emails impersonating the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered the Cobalt Strike Beacon.
Execution
1 techniquePersistence
3 techniques"Find QUIETEXIT persistence mechanisms in the appliance’s rc.local directory..." and "MITRE ATT&CK... Persistence... T1037.004: RC Scripts"
Scheduled Task/Job (T1053): APT29 installs persistence mechanisms such as scheduled tasks or startup scripts.
Privilege Escalation
3 techniques"Find QUIETEXIT persistence mechanisms in the appliance’s rc.local directory..." and "MITRE ATT&CK... Persistence... T1037.004: RC Scripts"
Scheduled Task/Job (T1053): APT29 installs persistence mechanisms such as scheduled tasks or startup scripts.
Stealth
4 techniquesMITRE ATT&CK Mappings: APT29 Defense Evasion T1027: Obfuscated Files or Information .001: Binary Padding .002: Software Packing .003: Steganography .005: Indicator Removal from Tools .006: HTML Smuggling
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Cyclops Blink can rename its running process to [kworker:0/1] to masquerade as a Linux kernel thread.
Lateral Movement
1 techniqueQUIETEXIT reverses traditional SSH client-server roles. On a compromised system, the client establishes a TCP connection and acts as the SSH server, while the threat actor’s component initiates the SSH connection and sends a password.
Command and Control
8 techniques"MITRE ATT&CK... Command and Control... T1071: Application Layer Protocol"
APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.
"MITRE ATT&CK... Command and Control... T1095: Non-Application Layer Protocol"
"The threat actor’s use of the QUIETEXIT tunneler..." and "MITRE ATT&CK... Command and Control... T1572: Protocol Tunneling"
MITRE ATT&CK Mappings: APT29 Command and Control T1573: Encrypted Channel .001: Symmetric Cryptography .002: Asymmetric Cryptography
"MITRE ATT&CK... Command and Control... T1573.002: Asymmetric Cryptography"
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor-like SSH tunneling tool that inverts client-server roles to provide covert access, with execution sometimes ensured via startup scripts.
Malware/tool that can proxy traffic over SOCKS.
Uses an inverse-negotiated SSH connection for C2.
Uses a second hard-coded C2 address if the first fails.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.