SIESTAGRAPH
SIESTAGRAPH is a .NET backdoor that uses the Microsoft Graph API for command and control, blending malicious traffic with legitimate Microsoft 365 activity. Reported by Elastic Security Labs in connection with the REF2924 intrusion set, it was observed targeting the Foreign Affairs Office/Ministry of an ASEAN member state and has been described as attributed to a PRC-affiliated or broader China-nexus espionage cluster with moderate confidence. It has also been noted as co-resident in environments containing NAPLISTENER, SOMNIRECORD, DOORME, SHADOWPAD, and COBALTSTRIKE.
The malware leverages Microsoft 365 Mail and OneDrive for C2. It uses a hard-coded tenant identifier and refresh token to obtain Microsoft Graph access tokens, and during setup used the Microsoft Office GUID d3590ed6-52b3-4102-aeff-aad2292ab01c to access Microsoft 365 Mail and OneDrive. It uses the legitimate third-party OneDriveAPI library to interact with Microsoft APIs and manage tokens. SIESTAGRAPH creates a session token by concatenating the process ID, machine name, username, and operating system. It exfiltrates session information and command results by creating Outlook draft email messages, and was also observed using the Graph API to interact with both OneDrive and Microsoft 365 Mail for C2 purposes.
Documented capabilities include shell execution via "cmd /c <command>", configurable sleep timing with a default 5-second polling interval, file upload and download via OneDrive, drive and directory listing, file deletion and renaming, process listing and killing, network discovery, screenshot capture, and self-termination. Its NET command gathers open TCP connection data using functions resolved from Ws2_32.dll and iphlpapi.dll. Its SS command captures the primary monitor, Base64-encodes the screenshot, and returns it via an email draft.
High-confidence indicators and artifacts mentioned in reporting include the hard-coded Microsoft Office application GUID d3590ed6-52b3-4102-aeff-aad2292ab01c and the use of Outlook draft messages plus OneDrive through Microsoft Graph for command transport and exfiltration. Elastic reported the hard-coded tenant ID used by SIESTAGRAPH to Microsoft. Additional reporting noted a later variant with different command identifiers from earlier documented versions.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
SIESTAGRAPH is a .NET backdoor that leverages the Microsoft Graph interface, a collection of APIs for accessing various Microsoft services.
SIESTAGRAPH is a .NET backdoor that leverages the Microsoft Graph interface, a collection of APIs for accessing various Microsoft services.
We first observed this type of third-party C2 in SIESTAGRAPH, which we reported in December 2022.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Stealth
1 technique
Stealth
Discovery
4 techniques
Discovery
The NET command gathers information about open TCP connections from the system's TCP table... This code helps the attacker to get a better insight into the system's purpose within the network.
We have identified the following commands... P Get a list of running processes.
After obtaining authentication and session tokens, the malware collects system information and exfiltrates it using a method called sendSession... A session token (sessionToken) is created by concatenating the process ID, machine name, username, and operating system.
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
SIESTAGRAPH interacts with Microsoft’s GraphAPI for command and control using Outlook and OneDrive... The implant utilizes the Microsoft Graph API to access Microsoft 365 Mail and OneDrive for its C2 communication.
Inspecting the sendSession method we see that it creates an email message and saves it as a draft. Using draft messages is common C2 tradecraft as a way to avoid email interception and inspection... the implant will use the getMessages method to check for any draft emails with commands from the attacker.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor mentioned for comparison that leverages the Microsoft Graph API to access Microsoft 365 Mail for command-and-control communication.
Previously reported malware family that similarly abuses Outlook mail service via the Microsoft Graph API for command-and-control (referenced as a technique comparison to FINALDRAFT).
Previously reported malware/campaign tooling noted for abusing Microsoft Graph API for command and control, referenced here as an earlier example of the same C2 technique.
Backdoor used in espionage intrusions that leverages the Microsoft Graph API to communicate through OneDrive and Microsoft 365 Mail for command and control.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.