Snugy
Snugy is a PowerShell backdoor associated with the xHunt cyber-espionage group and described as a CASHY200 variant. It was identified alongside the TriFive backdoor and the BumbleBee ASPX webshell during investigations into xHunt intrusions at Kuwaiti organizations. Reporting links xHunt activity to long-running campaigns since 2018, with targeting focused on Kuwait, particularly government, shipping, and transportation entities.
High-confidence reporting states that Snugy is written entirely in PowerShell and was used by xHunt for persistent access and arbitrary command execution. In one observed case, Snugy was referenced as OfficeIntegrator.ps1 and configured to run every 30 minutes via a scheduled task, reflecting xHunt’s broader persistence pattern of executing PowerShell implants through scheduled tasks with execution-policy bypass and task names/paths designed to resemble legitimate Windows components. Related reporting on xHunt also notes use of Exchange and IIS server compromise, credential harvesting, and lateral movement via SSH tunnels and Plink, although those behaviors are attributed to the broader campaign and associated tooling rather than uniquely to Snugy.
Snugy has been reported in the context of xHunt operations involving compromised Microsoft Exchange and IIS environments, covert persistence, and long-term access inside victim networks. It is grouped with other xHunt malware families such as Hisoka, Sakabota, Netero, Killua, TriFive, and BumbleBee. The provided content does not include standalone Snugy-specific indicators of compromise such as hashes, domains, or mutexes.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This investigation resulted in the discovery of two new backdoors called TriFive and Snugy, which we discussed in a prior blog...
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Persistence
1 techniqueThis investigation resulted in the discovery of two new backdoors called TriFive and Snugy... as well as a new webshell that we call BumbleBee... The actor used the BumbleBee webshell to upload and download files to and from the compromised Exchange server, but more importantly, to run commands that the actor used to discover additional systems and to move laterally to other servers on the network.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
PowerShell-based backdoor deployed by xHunt APT, leveraging scheduled tasks for persistence and using Exchange Web Services for C2 communication.
PowerShell backdoor (variant of CASHY200) used for persistent access; commonly executed via scheduled tasks (e.g., OfficeIntegrator.ps1 / xpsrchvw.ps1) with execution-policy bypass.
A backdoor newly discovered during investigation of the xHunt campaign at Kuwaiti organizations. The provided content mentions its discovery but does not describe its functionality further.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.