216.73.217.22

QUIETEXIT

The MITRE Corporation · Published 16/12/2025 19:36 · Modified 27/03/2026 01:03 Family

Essential information

Confidence
100/100
Is family
Yes
Published
16/12/2025 19:36
Modified
27/03/2026 01:03
Revoked
No
Author / Source
The MITRE Corporation
Related entities
25 attack patterns (mitre), 1 intrusion sets (apt), 3 indicators, 1 reports

Description

[QUIETEXIT](https://attack.mitre.org/software/S1084) is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021. [APT29](https://attack.mitre.org/groups/G0016) has deployed [QUIETEXIT](https://attack.mitre.org/software/S1084) on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.(Citation: Mandiant APT29 Eye Spy Email Nov 22)

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Attack patterns, malware, vulnerabilities, indicators, intrusion sets and other entities linked to this malware.

Attack patterns (MITRE) (25)

  • T1016 uses
    System Network Configuration Discovery
  • T1095 uses
    Non-Application Layer Protocol
  • T1027 uses
    Obfuscated Files or Information
  • T1008 uses
    Fallback Channels
  • T1090 uses
    Proxy
  • T1036 uses
    Masquerading
  • T1098 uses
    Account Manipulation
  • T1608 uses
    Stage Capabilities
  • T1111 uses
    Multi-Factor Authentication Interception
  • T1021 uses
    Remote Services
  • T1037 uses
    Boot or Logon Initialization Scripts
  • T1057 uses
    Process Discovery
  • T1090.002 uses
    External Proxy
  • T1114 uses
    Email Collection
  • T1572 uses
    Protocol Tunneling
  • T1518 uses
    Software Discovery
  • T1583 uses
    Acquire Infrastructure
  • T1003 uses
    OS Credential Dumping
  • T1071 uses
    Application Layer Protocol
  • T1573 uses
    Encrypted Channel
  • T1049 uses
    System Network Connections Discovery
  • T1505 uses
    Server Software Component
  • T1012 uses
    Query Registry
  • T1584 uses
    Compromise Infrastructure
  • T1036.005 uses
    Match Legitimate Resource Name or Location

Intrusion sets (APT) (1)

  • CozyDuke uses IRON RITUALIRON HEMLOCK
    The MITRE Corporation Confidence 100

    [APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33

Indicators (3)

Reports (1)