Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-02 12:00:33 UTC
Home > List all groups > List all tools > List all groups using tool WIREFIRE
 Tool: WIREFIRE
Names
WIREFIRE
GIFTEDVISITOR
Category Malware
Type Backdoor
Description
(Mandiant) WIREFIRE is a web shell written in Python that exists as trojanized logic to
a component of the Connect Secure appliance. WIREFIRE supports downloading files
to the compromised device and executing arbitrary commands. It contains logic inserted
before authentication that responds to specific HTTP POST requests to
/api/v1/cav/client/visits. If formdata entry “file” exists, the web shell saves the content to
the device with a specified filename; if not, the web shell attempts to decode, decrypt,
and zlib decompress any raw data existing after a GIF header to execute as a subprocess.
The output of the executed process will be zlib compressed, AES-encrypted with the
same key, and Base64-encoded before being sent back as JSON with a “message” field
via an HTTP 200 OK.
Information
MITRE ATT&CK Malpedia Last change to this tool card: 27 December 2024
Download this tool card in JSON format
All groups using tool WIREFIRE
Changed Name Country Observed
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=adb432fe-3ebe-4a40-9b59-6f71f67d90c6
Page 1 of 2

APT groups
  UNC5221, UTA0178 2022-Mar 2025  
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=adb432fe-3ebe-4a40-9b59-6f71f67d90c6
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=adb432fe-3ebe-4a40-9b59-6f71f67d90c6
Page 2 of 2