{ "id": "cce608e1-fd8d-4ca9-9030-ea5ec0848f82", "created_at": "2026-04-06T00:12:18.880079Z", "updated_at": "2026-04-10T03:24:34.036182Z", "deleted_at": null, "sha1_hash": "f2fa42021428a4b5bd46b302d2c9a3e36b974301", "title": "Rewterz Threat Advisory - Ivanti VPN Zero-Days Weaponized by UNC5221 Threat Actors to Deploy Multiple Malware Families – Active IOCs - Rewterz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46227, "plain_text": "Rewterz Threat Advisory - Ivanti VPN Zero-Days Weaponized by\r\nUNC5221 Threat Actors to Deploy Multiple Malware Families –\r\nActive IOCs - Rewterz\r\nPublished: 2024-01-15 · Archived: 2026-04-05 16:13:18 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nSuspected nation-state threat actors, tracked as UNC5221, have deployed about five different malware families as\r\na part of post-exploitation activities by using two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN\r\nappliances since at least December 2023.\r\nThe malware families used in the attacks help cybercriminals bypass authentication and provide backdoor access\r\nto the impacted devices. The threat actors utilize an exploit chain that consists of an authentication bypass\r\nvulnerability (CVE-2023-46805) and a code injection flaw (CVE-2024-21887) to take control of the targeted\r\ninstances.\r\nThe two vulnerabilities were used to achieve initial access, backdoor legitimate files, deploy web shells, harvest\r\ncredentials and other sensitive data, and move further into the infected environment. Ivanti states that the attacks\r\nhave impacted less than 20 customers, which indicates that this campaign could be targeting specific victims. The\r\npatches for these two vulnerabilities are expected to be released during the week of 22nd January.\r\nThe analysis by researchers has shown the presence of at least five different custom malware families, aside from\r\nthe injecting of malicious code into legitimate files inside ICS and the usage of other legitimate tools such as\r\nPySoxy and BusyBox to facilitate the follow-up activity. Some parts of the targeted devices are read-only, so\r\nUNC5221 leveraged a Perl script (sessionserver.pl) to change the filesystem as read/write allowed the deployment\r\nof THINSPOOL, a shell script dropper that can write the web shell LIGHTWIRE to a legitimate Connect Secure\r\nfile and other subsequent tools.\r\nLIGHTWIRE is one of the two web shells used in the attacks, the other being WIREFIRE. These are lightweight\r\nfootholds that are made to make sure that persistent remote access is achieved to the infected devices.\r\nLIGHTWIRE is written in Perl CGI, whereas WIREFIRE is written in Python. Another malware used in the\r\ncampaign is a JavaScript-based credential stealer called WARPWIRE and a backdoor dubbed ZIPLINE, capable\r\nof uploading and downloading files, creating a proxy server, establishing a reverse shell, and setting up a\r\ntunneling server to dispatch traffic between various endpoints.\r\nThese attacks do not seem opportunistic but rather intended with a focus on UNC5221’s high-priority targets that\r\nit compromised. The threat group has not been attributed to any previously known group and its origins are\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/\r\nPage 1 of 3\n\ncurrently unknown. However, the targeting of critical infrastructure by weaponization of zero-day vulnerabilities\r\nand the use of compromised command-and-control (C2) infrastructure for evading detection indicates that it is an\r\nadvanced persistent threat (APT).\r\nThe activity shows that espionage threat actors find it viable to exploit and live on the edge of networks. The\r\nnumber of impacted systems is very likely to grow too as more organizations run tools to scan their devices for\r\nindicators of compromise.\r\nImpact\r\nCyber Espionage\r\nSensitive Information Theft\r\nSecurity Bypass\r\nCommand Execution\r\nIndicators Of Compromise\r\nDomain Name\r\nsymantke.com\r\ngpoaccess.com\r\nwebb-institute.com\r\nAffected Vendors\r\nIvanti\r\nAffected Products\r\nIvanti ICS 9\r\nIvanti ICS 22\r\nIvanti Policy Secure\r\nRemediation\r\nRefer to Ivanti Website for patch, upgrade or suggested workaround information.\r\nBlock all threat indicators at your respective controls.\r\nSearch for Indicators of compromise (IOCs) in your environment utilizing your respective security\r\ncontrols.\r\nImplement multi-factor authentication to add an extra layer of security to login processes.\r\nRegularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is\r\nunderway.\r\nOrganizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and\r\ndata from potential threats. This includes regularly updating software and implementing strong access\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/\r\nPage 2 of 3\n\ncontrols and monitoring tools.\r\nDevelop a comprehensive incident response plan to respond effectively in case of a security breach or data\r\nleakage.\r\nMaintain regular backups of critical data and systems to ensure data recovery in case of a security incident.\r\nAdhere to security best practices, including the principle of least privilege, and ensure that users and\r\napplications have only the necessary permissions.\r\nEstablish a robust patch management process to ensure that security patches are evaluated, tested, and\r\napplied promptly.\r\nConduct security audits and assessments to evaluate the overall security posture of your systems and\r\nnetworks.\r\nImplement network segmentation to contain and isolate potential threats to limit their impact on critical\r\nsystems.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/" ], "report_names": [ "rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs" ], "threat_actors": [ { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434338, "ts_updated_at": 1775791474, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f2fa42021428a4b5bd46b302d2c9a3e36b974301.pdf", "text": "https://archive.orkl.eu/f2fa42021428a4b5bd46b302d2c9a3e36b974301.txt", "img": "https://archive.orkl.eu/f2fa42021428a4b5bd46b302d2c9a3e36b974301.jpg" } }