{
	"id": "4779d74b-86c0-4a3b-8201-ef1cd73f231c",
	"created_at": "2026-04-06T00:18:17.900993Z",
	"updated_at": "2026-04-10T13:12:09.90178Z",
	"deleted_at": null,
	"sha1_hash": "3a145d688741497dc1618330863a7fc8519af976",
	"title": "China-Nexus Threat Group ‘Velvet Ant’ Leverages a Zero-Day to Deploy Malware on Cisco Nexus Switches",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 661001,
	"plain_text": "China-Nexus Threat Group ‘Velvet Ant’ Leverages a Zero-Day to\r\nDeploy Malware on Cisco Nexus Switches\r\nBy Sygnia\r\nPublished: 2024-08-22 · Archived: 2026-04-05 18:49:13 UTC\r\nSygnia uncovers the China-Nexus group ‘Velvet Ant’ leveraging a zero-day exploit (CVE-2024-20399) on Cisco\r\nSwitch appliances, escalating evasion tactics to maintain long-term network persistence.\r\nKey Takeaways\r\nEarlier in 2024, Sygnia observed ‘Velvet Ant’ leveraging a zero-day exploit (CVE-2024-20399) to\r\ncompromise and control on-premises Cisco Switch appliances. These types of vulnerabilities are used by\r\nthreat actor to operate on compromised devices in a way that is completely hidden to the enterprise security\r\nstack.\r\nAs part of the ‘Velvet Ant’ multi-year intrusion, the transition to operating from internal network devices\r\nmarks yet another escalation in the evasion techniques used in order to ensure the continuation of the\r\nespionage campaign.\r\nThe zero-day exploit allows an attacker with valid administrator credentials to the Switch management\r\nconsole to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the Linux\r\nunderlying operating system. Following the exploitation, ‘Velvet Ant’ deploy tailored malware, which runs\r\non the underlying OS and is invisible to common security tools.\r\nThe modus-operandi of ‘Velvet Ant’ highlights risks and questions regarding third-party appliances and\r\napplications that organizations onboard. Due to the ’black box‘ nature of many appliances, each piece of\r\nhardware or software has the potential to turn into the attack surface that an adversary is able to exploit.\r\nBy enhancing logging, implementing continuous monitoring, and conducting systematic threat hunts on\r\nkey organizational choke points, organizations can better detect and counteract advanced persistent threats\r\nsuch as ‘Velvet Ant’. For additional, detailed prevention and detection guidelines, see Sygnia’s\r\nvulnerability advisory.\r\nIntroduction\r\nSygnia recently published a blog post about a China-Nexus threat group, providing an in-depth analysis of Velvet\r\nAnt TTPs that have been seen in the wild. While the previous blog demonstrates the attack flow and compromise,\r\nthis blog highlights the technique used by Velvet Ant to compromise Cisco Switch appliances and use them to\r\nperform stealthy attacks.\r\nIn an intrusion that spanned over multiple years, Velvet Ant escalated their tactics to stealthily maintain\r\npersistence within networks. For over three years, they evaded detection, gradually infiltrating new Windows\r\nsystems, servers, and laptops. Gradually, they shifted their operations to legacy Windows systems, such as\r\nhttps://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/\r\nPage 1 of 7\n\nWindows 2003 servers. These older systems, with their default inadequate logging and inability to support modern\r\nsecurity technologies, provided an ideal environment for the attackers to continue their activities undetected.\r\nNext, Velvet Ant adapted their attack approach again and moved to an operational tactic that leveraged network\r\ndevices such as legacy F5 BIG-IP appliances, as described in the earlier blog post. This tactic allowed the group to\r\nobtain a new vantage point – one that is not accessible to the victim, as it is a black box that enables the attackers\r\nto avoid detection.\r\nIn recently observed attacks , Velvet Ant transitioned to operating from Cisco Nexus switch appliances and\r\nexploited a zero-day vulnerability, in order to access the underlying Linux layer of the switch to install their\r\nmalware – named ‘VELVETSHELL’ by Sygnia. These switch appliances do not give the user access to the\r\nunderlying operating system, making scanning for indicators of compromise nearly impossible. This shift towards\r\nnetwork appliances emphasizes the group’s sophistication and determination to maintain persistence in a\r\ncompromised environment in order to continue conducting espionage activities.\r\nJailbreaking a Cisco Switch Appliance using a 0-Day NX-OS CLI Exploit (CVE-2024-20399)\r\nDuring response activities following a recent Velvet Ant intrusion, a suspicious anomaly was detected on a Cisco\r\nswitch appliance, prompting deeper investigation. Upon accessing the device, Sygnia observed the threat actor\r\nperforming reconnaissance activities, including issuing extended ping commands to probe additional network\r\ndevices, and mapping the routing paths across various VRFs (Virtual Routing and Forwarding). Moreover, the\r\nthreat actor’s use of the Cisco switch as a main pivot to access additional network devices allowed for clear\r\nidentification of additional activities originating from known compromised locations.\r\nBy investigating the accounting logs of the affected system, Sygnia discovered several suspicious Base64-encoded\r\ncommands that were executed using valid administrative credentials. These commands were identified as being\r\nnot merely unusual administrative commands, but rather part of an exploit leveraging a command injection\r\nvulnerability. The threat actor utilized this technique to execute a malicious script to load and execute a backdoor\r\nbinary on the device, thereby bypassing standard security mechanisms.\r\nFigure 1: Snippet from the accounting log of the Cisco Nexus switch, showing the command\r\ninjection vulnerability used by Velvet Ant.\r\nCisco NX-OS in a Nutshell\r\nhttps://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/\r\nPage 2 of 7\n\nCisco NX-OS is a network operating system designed specifically for Cisco’s Nexus-series switches. It operates\r\nwith a distinct layered architecture, consisting of an ‘application’ level and an underlying Linux-based OS level.\r\nThe ‘application’ level is what a network administrator would interact with through the CLI, providing commands\r\ntailored for network management tasks such as configuring routing, managing interfaces, and monitoring network\r\nperformance.\r\nBy design, end users are restricted to the application level to ensure a secure and controlled environment. This\r\nlayer is robust and is equipped with numerous security mechanisms to prevent unauthorized access and to\r\nmaintain the integrity of network operations. However, the underlying Linux OS layer, which forms the\r\nfoundation of the NX-OS, is typically hidden and inaccessible to end users. It handles the core system functions,\r\nrunning processes and managing resources that are critical to the switch’s operation.\r\nVelvet Ant discovered and utilized a zero-day command injection vulnerability in the Cisco NX-OS Software CLI\r\nto bypass the restrictive application layer. This vulnerability was later assigned the CVE ID of CVE-2024-20399.\r\nBy leveraging this vulnerability, the group gained unauthorized access to the underlying Linux OS level. This\r\naccess provided the attackers with elevated control over the switch, enabling them to execute malicious scripts and\r\nmanipulate the system beyond the intended administrative capabilities.\r\nNX-OS Linux Layer Post-Exploitation and Malware Deployment\r\nAfter accessing the compromised system, Velvet Ant focused on deploying the VELVETSHELL malware on the\r\ndevice and obfuscating its presence. The bash history file reveals a methodical approach to post-exploitation tasks.\r\nFirst, the threat actor created a file, and then decoded its Base64-encoded content into another file – which was\r\nlater renamed ‘ufdm.so’- this change suggests that it contained the malicious payload.\r\nFigure 2: Snippet from the accounting log of the Cisco Nexus switch, showing the command\r\ninjection vulnerability used by Velvet Ant.\r\nhttps://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/\r\nPage 3 of 7\n\nBefore the execution of the malware, the threat actor copied the legitimate ‘curl’ binary and renamed it ‘ufdm’ –\r\nwhich is the name of a legitimate binary on Cisco Nexus switch appliances. The ‘LD_PRELOAD’ environment\r\nvariable was then set to load ‘ufdm.so’, allowing the attacker to inject their code into the masqueraded\r\n‘/root/ufdm’ process, thereby gaining control over the execution flow. The threat actor then checked the running\r\nprocesses and active network connections using the ‘ps’ and ‘netstat’ commands respectively – likely, to ensure\r\nthat their malware was running as intended, and to assess the system’s network activity. After executing their\r\npayload, the threat actor meticulously removed traces of their actions by deleting the renamed ‘ufdm’ and\r\n‘ufdm.so’ files, in an attempt to cover their tracks and avoid detection. This sequence highlights the sophistication\r\nand stealth of the threat actor’s operations during the post-exploitation phase.\r\nVELVETSHELL Analysis\r\nDespite the malware being deleted by the threat actor, Sygnia was able to reconstruct it from the device memory\r\nthrough a detailed forensic process. By processing and analyzing the reconstructed VELVETSHELL malware, it\r\nwas determined that it is a hybrid customized version of two open-source tools: TinyShell, a Unix backdoor, and\r\n3proxy, a proxy tool. Both tools were utilized separately in the past for nefarious purposes; however, in this case,\r\nthey were identified as being incorporated into a single binary.\r\nAs a hybrid of known tools, and with the additional analysis of the binary for confirmation, the VELVETSHELL\r\nmalware provides multiple capabilities – such as execution of arbitrary commands, download and upload of files,\r\nand establishing tunnels for proxying network traffic. These functionalities provided the threat actor with\r\nextensive control over the compromised system, enabling both data exfiltration and persistent access.\r\nFigure 3: Snippet from ‘IDA’ decompile software, showing the reconstructed VELVETSHELL\r\nmalware functions, which include 3proxy functionalities.\r\nhttps://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/\r\nPage 4 of 7\n\nFigure 4: Snippet from ‘IDA’ a decompile software, showing the reconstructed VELVETSHELL\r\nmalware functions, which include ‘TinyShell’ functionalities.\r\nA Note on ‘Velvet Ant’\r\nOver the years of espionage activities ‘Velvet Ant’ increased their sophistication, using evolving tactics to\r\ncontinue their cyber operations in a victim network – from operating on ordinary endpoints, shifting operations to\r\nlegacy servers and finally moving towards network appliances and using 0-days. The determination, adaptability\r\nand persistence of such threat actors highlights the sensitivity of a holistic response plan to not only contain and\r\nmitigate the threat but also monitor the network for additional attempts to exploit the network.\r\nhttps://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/\r\nPage 5 of 7\n\nAppendix I: Indicators of Compromise\r\nValue Type Description \r\n/bootflash/id.txt File path N/A\r\n/bootflash/1 File path N/A\r\n/root/ufdm File path Renamed curl\r\n/root/ufdm.so File path Malicious library\r\n/root/a File path N/A\r\n/root/t File path N/A\r\n/root/1 File path N/A\r\n/root/2 File path N/A\r\nAppendix II: MITRE ATT\u0026CK Matrix Mapping\r\n1. Execution\r\n1. T1059.008 – Command and Scripting Interpreter: Network Device CLI\r\n2. T1059.001 – Command and Scripting Interpreter: Base64 Encoding\r\n2. Persistence\r\n1. T1078.003 – Valid Accounts: Local Accounts\r\n3. Privilege Escalation\r\n1. T1068 – Exploitation for Privilege Escalation\r\n4. Defense Evasion\r\n1. T1574.006 – Hijack Execution Flow: Dynamic Linker Hijacking\r\n2. T1070.004 – Indicator Removal: File Deletion\r\n3. T1036.003 – Masquerading: Rename System Utilities\r\nhttps://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/\r\nPage 6 of 7\n\n4. T1036.005 – Masquerading: Match Legitimate Name or Location\r\n5. T1027.013 – Obfuscated Files or Information: Encrypted/Encoded File\r\n5. Discovery\r\n1. T1046 – Network Service Discovery\r\n2. T1018 – Remote System Discovery\r\n3. T1049 – System Network Connections Discovery\r\n4. T1057 – Process Discovery\r\n6. Lateral Movement\r\n1. T1021.004 – Remote Services: SSH\r\n2. T1570 – Lateral Tool Transfer\r\n7. Command and Control\r\n1. T1090.001 – Proxy: Internal Proxy\r\nIf you were impacted by this attack or are seeking guidance on how to prevent similar attacks, please contact us at\r\ncontact@sygnia.co or our 24-hour hotline +1-877-686-8680.\r\nThis advisory and any information or recommendation contained here has been prepared for general informational\r\npurposes and is not intended to be used as a substitute for professional consultation on facts and circumstances\r\nspecific to any entity. While we have made attempts to ensure the information contained herein has been obtained\r\nfrom reliable sources and to perform rigorous analysis, this advisory is based on initial rapid study, and needs to\r\nbe treated accordingly. Sygnia is not responsible for any errors or omissions, or for the results obtained from the\r\nuse of this Advisory. This advisory is provided on an as-is basis, and without warranties of any kind.\r\nSource: https://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/\r\nhttps://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/"
	],
	"report_names": [
		"china-threat-group-velvet-ant-cisco-zero-day"
	],
	"threat_actors": [
		{
			"id": "822063cf-d9bd-499a-9715-70d95881378f",
			"created_at": "2025-04-23T02:00:55.295207Z",
			"updated_at": "2026-04-10T02:00:05.254566Z",
			"deleted_at": null,
			"main_name": "Velvet Ant",
			"aliases": [
				"Velvet Ant"
			],
			"source_name": "MITRE:Velvet Ant",
			"tools": [
				"PlugX",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "0c0d8f44-d131-41c8-a693-efb687e777f1",
			"created_at": "2024-06-20T02:02:10.211899Z",
			"updated_at": "2026-04-10T02:00:04.962606Z",
			"deleted_at": null,
			"main_name": "Velvet Ant",
			"aliases": [],
			"source_name": "ETDA:Velvet Ant",
			"tools": [
				"Agent.dhwf",
				"Destroy RAT",
				"DestroyRAT",
				"ESRDE",
				"Kaba",
				"Korplug",
				"POISONPLUG.SHADOW",
				"PlugX",
				"RedDelta",
				"SAMRID",
				"ShadowPad Winnti",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"VELVETSTING",
				"VELVETTAP",
				"XShellGhost",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434697,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a145d688741497dc1618330863a7fc8519af976.pdf",
		"text": "https://archive.orkl.eu/3a145d688741497dc1618330863a7fc8519af976.txt",
		"img": "https://archive.orkl.eu/3a145d688741497dc1618330863a7fc8519af976.jpg"
	}
}