Small Sieve
Small Sieve, also referred to as GRAMDOOR, is a simple Python backdoor attributed with high confidence by U.S. and U.K. authorities to the Iranian MOIS-linked threat group MuddyWater (also tracked as Seedworm, MERCURY, Static Kitten, TEMP.Zagros, Earth Vetala, UNC3313, and COBALT ULSTER). It has been documented in joint government reporting including advisory AA22-055A.
The malware is distributed via a Nullsoft Scriptable Install System (NSIS) installer, notably gram_app.exe. The installer drops the backdoor as index.exe and establishes persistence through a Windows Registry Run key. Reporting also describes delivery via an NSIS package that drops the executable into an APPDATA subdirectory named OutlookMicrosift and persists via a Run key. Small Sieve uses deceptive filenames associated with Microsoft, Outlook, and Windows Defender, including misspellings such as "Microsift," to evade detection.
Its command and control uses the Telegram Bot API over HTTPS, including SSL/TLS-protected communications with api.telegram.org, to send and receive messages for tasking and results. Mandiant named the malware GRAMDOOR specifically because of this Telegram Bot API-based communication. One reported sample contains a hardcoded Telegram bot token: 2003026094:AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY. Small Sieve can obtain the ID of the logged-in user. One report states it only executes correctly if the word "Platypus" is passed on the command line; separate reporting on a related UNC3313/GRAMDOOR sample notes a required command-line parameter and that it was compiled with Python 3.9, packaged with PyInstaller, and only executes on Windows 8 and higher.
Within MuddyWater operations, Small Sieve is one of several malware families used alongside PowGoop, Canopy/Starwhale, Mori, and POWERSTATS in campaigns targeting government and commercial organizations across Asia, Africa, Europe, and North America, including telecommunications, defense, local government, and oil and natural gas sectors.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Mandiant has named this backdoor GRAMDOOR due to its ability to use the Telegram Bot API for communication."
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniques
Execution
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
1 technique
Persistence
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
1 technique
Privilege Escalation
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
4 techniques
Stealth
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
MuddyWater disguises malicious executables and uses filenames and Registry key names associated with Microsoft's Windows Defender to avoid detection during casual inspection... variations of Microsoft (e.g., "Microsift") and Outlook in its filenames associated with Small Sieve [T1036.005].
Discovery
2 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
Command and Control
9 techniques
Command and Control
Several entries describe broader use of HTTP/HTTPS and related web mechanisms for C2, including "Crutch has conducted C2 communications with a Dropbox account using the HTTP API," "BLUELIGHT can use HTTP/S for C2 using the Microsoft Graph API," and "Small Sieve can contact actor-controlled C2 servers by using the Telegram API over HTTPS."
APT41 DUST used HTTPS for command and control. APT42 has used tools such as NICECURL with command and control communication taking place over HTTPS. Lumma Stealer has used HTTPS for command and control purposes.
"APT28 has used Google Drive for C2."; "APT37 leverages social networking sites and cloud platforms ... for C2."; "FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2."
T1132.001 MuddyWater has used tools to encode C2 communications including Base64 encoding.
Small Sieve’s beacons and taskings are performed using Telegram API over Hypertext Transfer Protocol Secure (HTTPS) [T1071.001], and the tasking and beaconing data is obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function [T1027], T1132.002].
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").
IOCs tracked for this family
26 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor associated in the content with Telegram Bot API traffic from internal hosts.
A MuddyWater-associated malware/tool documented in U.S. government advisory AA22-055A.
Backdoor that uses Telegram Bot API for command-and-control messaging.
Malware that uses the Telegram Bot API for command-and-control messaging.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.