{ "id": "8eb4c83c-591b-4ff8-887b-c0fab63b4251", "created_at": "2026-04-06T00:17:00.725793Z", "updated_at": "2026-04-10T13:11:45.843232Z", "deleted_at": null, "sha1_hash": "5e4265dd669616098452e14fdeca1693ef5ca863", "title": "UNC5221: Unreported and Undetected WIREFIRE Web Shell Variant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51800, "plain_text": "UNC5221: Unreported and Undetected WIREFIRE Web Shell\r\nVariant\r\nBy QuoINT\r\nPublished: 2024-01-22 · Archived: 2026-04-05 13:52:19 UTC\r\nQuoIntelligence uncovers a previously unreported and undetected variant of the WIREFIRE web shell, a\r\nPython-based implant found in Ivanti Connect Secure (ICS) VPN compromised appliances.\r\nIntroduction\r\nIn mid-December, security researchers from Mandiant and Volexity identified multiple web shells hidden by an\r\nunknown threat actor on internal and external-facing web applications, a global exploitation and intrusion attempt\r\nagainst Ivanti Connect Secure (ICS) VPN appliances.\r\nThe threat actor, currently tracked by Mandiant as UNC5221 and by Volexity as UTA0178, appears to be part of a\r\nChinese state-sponsored group with advanced capabilities in network exploitation of external-facing devices.\r\nAlthough there is a limited degree of certainty and public reporting in their attribution, indications suggest their\r\nactivities are likely driven by espionage objectives.\r\nDuring these incidents, the threat actor exploited two zero-day vulnerabilities (CVE-2023-21887 and CVE-2023-\r\n46805) affecting Ivanti Connect Secure VPN to bypass authentication methods and allowing the attackers to\r\nexecute malicious commands on the targeted appliances. Additional information on the exploitation chain and\r\nmethodologies used can be found in Volexity’s initial article.\r\nDuring our investigation, QuoIntelligence’s Research Team discovered an additional variation of a Python web\r\nshell currently tracked as WIREFIRE (by Mandiant) and GIFTEDVISITOR (by Volexity) with similar\r\ncapabilities, hidden in a different file. This discrepancy is presumably attributed to the threat actor’s intent to\r\ncircumvent detection mechanisms and to avoid detections by public YARA rules known.\r\nTo avoid confusion, the article will stick to the taxonomy provided by Mandiant.\r\nAt the time of reporting, public detections provided by security researchers are ineffective and will not detect this\r\nnew variation, posing additional risks to compromised customers and clients that are undergoing internal\r\ninvestigations post-breach. The Integrity Check Tool provided by Ivanti will most likely detect a signature\r\nmismatch inside the application’s folder, however, Volexity reported that UNC5221 was seen modifying the in-built scanner’s code to prevent reporting any mismatch and further increase the likelihood of not detecting the\r\ntampered files.\r\nTechnical Details\r\nhttps://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/\r\nPage 1 of 3\n\nDuring our research on Ivanti Connect Secure VPN exploits and hunts for additional samples, we identified a\r\nsuspicious .EGG Python archive containing small variations between the original sample reported by Mandiant\r\nand Volexity.\r\nIn the original sample, WIREFIRE was located in the usual location /api/resources/visits.py and with the post\r\nfunction overwritten by the threat actor. However, our new finding was located inside of\r\n/api/resources/category.py, with the same post function overwritten.\r\nThe two code snippets highlighted minor differences in the methodology of data transmission and subsequent\r\nexecution. POST requests with specific indicators remain the way to convey the encrypted data payload, which is\r\nthen decrypted and directly executed within the memory space of the process, leaving no traces on the\r\ncompromised file system.\r\nIn this particular instance, the threat actor can also rely on specifically set cookies to send the encrypted payload\r\nand will not rely on the GIF file previously seen in `visits.py`. If the cookie is not set, the malicious code will\r\nextract the contents of the API request containing the encrypted payload.\r\nOur analysis highlights the emergence of a novel code addition that enables the threat actor to execute malicious\r\ncode through the Python exec() function. This approach can facilitate the retention and persistence of data\r\nthroughout successive POST requests, leveraging the globals() and locals() functions for data storage after each\r\nexecution.\r\nThe following coding snippet highlights the content of the post function while redacting the value of variable\r\ndskey, containing a unique identifier of 16 characters used as the decryption key.\r\nFigure1: Code snippet of the function “post” containing the slightly modified web shell\r\nDetections\r\nWhen the discovery was made, the existing YARA rule from Mandiant failed to identify our latest findings,\r\nleading us to the conclusion that is it likely that threat actors are deploying new web shells in different directories\r\nand with slight modifications to evade detections and hunting by security and IT teams using the publicly\r\navailable YARA rules.\r\nThe rule M_Hunting_Dropper_WIREFIRE_1 that Mandiant provided detects the web shell WIREFIRE only if it\r\nresides inside the /api/resources/visits.py due to the strings used for matching, excluding any other web shell with\r\nidentical or similar code but located in different files.\r\nTo rapidly respond to this new finding, we created a less restrictive and temporary YARA rule to detect\r\ncommonalities between these web shells that are in different files, achieving to identify WIREFIRE and its\r\nvariations in every file inside of /api/resources/ to test its accuracy.\r\n{\r\nmeta:\r\nhttps://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/\r\nPage 2 of 3\n\nauthor = “QuoIntelligence”\r\n   description = “Detects the web shell WIREFIRE tracked by Mandiant and similar variants using common pack /\r\nunpack methods”\r\n    date = “2024-01-19”\r\n  strings:\r\n   $s1 = “zlib.decompress(aes.decrypt(base64.b64decode(” ascii\r\n   $s2 = “from Cryptodome.Cipher import AES” ascii\r\n    $p1 = “aes.encrypt(t+(‘\\\\x00’*(16-len(t)%16))” ascii\r\n   condition:\r\n   filesize \u003c 10KB\r\n   and all of ($s*)\r\n    or any of ($p*)\r\n}\r\nSource: https://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/\r\nhttps://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/" ], "report_names": [ "unc5221-unreported-and-undetected-wirefire-web-shell-variant" ], "threat_actors": [ { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434620, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5e4265dd669616098452e14fdeca1693ef5ca863.pdf", "text": "https://archive.orkl.eu/5e4265dd669616098452e14fdeca1693ef5ca863.txt", "img": "https://archive.orkl.eu/5e4265dd669616098452e14fdeca1693ef5ca863.jpg" } }