Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Sowbug

🌐Sowbug

🌐 Sowbug is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 9 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0054) ↗
14Use cases
0Articles
9Techniques
0IOCs

About this actor (MITRE)

[Sowbug](https://attack.mitre.org/groups/G0054) is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)

Known aliases

Sowbug

Top techniques

T1003 · OS Credential DumpingT1036.005 · Match Legitimate Resource Name or LocationT1039 · Data from Network Shared Drive

All other tracked techniques

T1056.001 · KeyloggingT1059.003 · Windows Command ShellT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1135 · Network Share DiscoveryT1560.001 · Archive via Utility

Detection use cases (14)

Sowbug (G0054) diplomatic file-share enumeration via cmd.exe with foreign-policy keyword filters AI · profile SΣ Sowbug (G0054) Felismus loader — Windows-binary masquerade in user-writable paths followed by RAR staging AI · profile S Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match LSASS process access / dump (credential theft) MITRE match 7zip CommandLine To SMB Share Path MITRE match Advanced IP or Port Scanner Execution MITRE match Anomalous usage of 7zip MITRE match Attacker Tools On Endpoint MITRE match Cisco ASA - Reconnaissance Command Activity MITRE match Cisco IOS XE Reconnaissance Command Activity MITRE match CMD Carry Out String Command Parameter MITRE match CMD Echo Pipe - Escalation MITRE match