1 malware family

Sowbug

Also known asSowbug

Sowbug is a threat actor tracked in the provided content under the name Sowbug. The content associates Sowbug with credential access, execution, discovery, and collection activity. Specifically, Sowbug has used the Windows command line during intrusions, including Windows Command Shell activity (T1059.003). It has masqueraded tools as legitimate Windows or Adobe Reader software, including use of the filename adobecms.exe and the directory CSIDL_APPDATA\microsoft\security. For discovery, Sowbug obtained victim OS version and hardware configuration (T1082), performed file and directory discovery (T1083), and is associated with network share discovery (T1135). For collection, Sowbug identified and extracted Word documents from a file server, including by using commands containing *.doc and *.docx and by searching for documents within a specific date range, then bundled extracted documents into a RAR archive. The content also associates Sowbug with credential access techniques including unsecured credentials (T1552) and OS credential dumping (T1003). No additional aliases or sub-groups beyond "sowbug" are directly provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

21 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics29 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

2 techniques

T1590

Gather Victim Network Information

T1590.001

Domain Properties

T1590.005

IP Addresses

T1595

Active Scanning

TA0002

Execution

1 technique

T1059

Command and Scripting Interpreter

T1059.003×6

Windows Command Shell

TA0003

Persistence

1 technique

T1112

Modify Registry

TA0005

Stealth

3 techniques

T1036×2

Masquerading

T1036.005×3

Match Legitimate Resource Name or Location

T1070

Indicator Removal

T1070.003

Clear Command History

T1218

System Binary Proxy Execution

T1218.011

Rundll32

TA0112

Defense Impairment

1 technique

T1112

Modify Registry

TA0006

Credential Access

3 techniques

T1003×5

OS Credential Dumping

T1056

Input Capture

T1056.001

Keylogging

T1552

Unsecured Credentials

TA0007

Discovery

5 techniques

T1018

Remote System Discovery

T1046

Network Service Discovery

T1082×13

System Information Discovery

T1083×7

File and Directory Discovery

T1135×6

Network Share Discovery

TA0009

Collection

3 techniques

T1039×3

Data from Network Shared Drive

T1056

Input Capture

T1056.001

Keylogging

T1560

Archive Collected Data

T1560.001×6

Archive via Utility

TA0011

Command and Control

1 technique

T1219

Remote Access Tools

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Brute Ratel C4This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.1Mar 17, 2026

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

splunk researchNews

Apr 15, 2026

Detection: MacOS Network Share Discovery | Splunk Security Content

Referenced as a threat actor associated with the Network Share Discovery technique (T1135).

splunk researchNews

Apr 13, 2026

Detection: Windows File Association Modification via Ftype | Splunk Security Content

Listed as a threat actor associated with Windows Command Shell execution behavior relevant to this detection.

splunk researchNews

Apr 13, 2026

Detection: Windows LAPS Password Gathering Via PowerShell Script | Splunk Security Content

Referenced as a threat actor associated with credential access behavior, specifically techniques involving unsecured credentials and OS credential dumping in the context of LAPS password gathering via PowerShell.

splunk researchNews

Apr 13, 2026

Detection: Windows WinPEAS PowerShell Script Execution | Splunk Security Content

Listed as a threat actor associated with WinPEAS-related post-exploitation/reconnaissance activity in the detection metadata.

+62 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping21

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.