C0029: Cutting Edge
Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[1][2][3][4][5]
Analyst context for executives and security teams
Cutting Edge matters because MITRE describes it as a campaign against externally facing Ivanti Connect Secure VPN appliances, followed by defense evasion, living-off-the-land activity, web shells, custom backdoors, credential capture, and lateral movement techniques. For leaders, the decision point is not only whether a VPN was patched, but whether the organization can prove the appliance was not modified, credentials were not harvested, and downstream Windows, Linux, macOS, ESXi, and network-device activity was reviewed where the related techniques apply.
Executive priority
Treat this as a remote-access infrastructure and identity-risk scenario. VPN appliances sit at the boundary between the internet and internal access, so compromise can affect business continuity, privileged access, incident scope, and audit evidence. Executives should ask whether externally exposed VPNs are inventoried, whether emergency vulnerability response includes appliance integrity checks, whether VPN credentials and sessions can be invalidated quickly, and whether SOC/IR teams can correlate VPN activity with Active Directory, RDP, SMB, SSH, and endpoint telemetry.
Technical view
ATT&CK provides no campaign-level detection text, so validation should be relationship-driven. Confirm visibility for Ivanti Connect Secure appliance changes and logs, especially around web shell/backdoor behaviors associated with ZIPLINE, WIREFIRE, WARPWIRE, GLASSTOKEN, BUSHWALK, LIGHTWIRE, FRAMESTING, LITTLELAMB.WOOLTEA, and PITSTOP. Hunt for command execution, file read/write, reverse shell or proxy-like network behavior, credential capture against VPN portals, and persistence across upgrades or patches where appliance evidence is available. Downstream, validate detections for LSASS and NTDS access, Impacket and CrackMapExec-like post-exploitation activity, RDP/SMB/SSH lateral movement, Python or script execution, process injection, encoded files, local data collection, keylogging/web portal capture, and indicator removal.
Likely telemetry
- Internet-facing VPN appliance inventory, version, configuration, and integrity evidence
- Ivanti Connect Secure web, authentication, administrative, and system logs where available
- File integrity or forensic evidence for modified CGI, Python, Perl, JavaScript, and package components on VPN appliances
- Network flow, proxy, DNS, and firewall telemetry for reverse shell, proxy, unusual egress, or appliance-to-internal connections
- VPN authentication records, session history, source IPs, and account usage patterns
Detection direction
- Do not rely on patch status alone; validate appliance integrity and historical logs because related malware includes web shells and backdoors embedded in legitimate components.
- Correlate VPN appliance activity with identity and lateral movement telemetry to determine whether compromise of remote access infrastructure led to internal access.
- Tune for suspicious use of RDP, SMB/admin shares, SSH, Impacket, and CrackMapExec-like behavior, but account for legitimate administrator and penetration-testing activity to reduce false positives.
- Prioritize detections for credential access paths named in the relationships: LSASS memory, NTDS, web portal capture, keylogging, and VPN credential theft patterns.
- Expect blind spots where network devices lack EDR-style logging, where appliance logs are overwritten, or where indicator removal has reduced forensic evidence.
Mitigation priorities
- Maintain a current inventory of externally exposed VPN and remote-access appliances, with ownership and emergency response contacts.
- Prioritize vulnerability management and emergency remediation for Ivanti Connect Secure and other internet-facing remote-access systems referenced by this campaign context.
- After suspected exposure, perform appliance integrity review and forensic validation before treating remediation as complete.
- Rotate or invalidate potentially exposed VPN credentials and sessions, and review privileged access paths tied to remote access.
- Restrict and monitor administrative protocols such as RDP, SMB/admin shares, and SSH, especially from VPN address ranges or appliance-originated connections.
Analyst notes and limits
The campaign object names suspected China-nexus espionage actors and multiple targeted sectors, and describes zero-day exploitation of Ivanti Connect Secure VPN appliances beginning as early as December 2023. This take uses those official fields and the supplied ATT&CK relationships to frame defensive validation. Local exposure, compromise, and detection coverage must be established from asset inventory, appliance evidence, identity logs, and endpoint/network telemetry.
MITRE does not provide campaign-level detection guidance, campaign platforms, or tactics for this object. Several defensive recommendations are inferred from the supplied software and technique relationships rather than from explicit campaign detection text. This summary does not establish current activity, customer exposure, or guaranteed detectability.
Cutting Edge
Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[1][2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1595.002 | Vulnerability Scanning Sub-technique | During Cutting Edge, threat actors used the publicly available Interactsh tool to identify Ivanti Connect Secure VPNs vulnerable to CVE-2024-21893.CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1205 | Traffic Signaling | During Cutting Edge, threat actors sent a magic 48-byte sequence to enable the PITSOCK backdoor to communicate via the `/tmp/clientsDownload.sock` socket.CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1685 | Disable or Modify Tools | During Cutting Edge, threat actors disabled logging and modified the `compcheckresult.cgi` component to edit the Ivanti Connect Secure built-in Integrity Checker exclusion list to evade detection.CitationMandiant Cutting Edge Part 2 January 2024CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1070 | Indicator Removal | During Cutting Edge, threat actors cleared logs to remove traces of their activity and restored compromised systems to a clean state to bypass manufacturer mitigations for CVE-2023-46805 and CVE-2024-21887.CitationMandiant Cutting Edge Part 2 January 2024CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | During Cutting Edge, threat actors used Task Manager to dump LSASS memory from Windows devices to disk.CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1055 | Process Injection | During Cutting Edge, threat actors used malicious SparkGateway plugins to inject shared objects into web process memory on compromised Ivanti Secure Connect VPNs to enable deployment of backdoors.CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1021.004 | SSH Sub-technique | During Cutting Edge, threat actors used SSH for lateral movement.CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | During Cutting Edge, threat actors deleted `/tmp/test1.txt` on compromised Ivanti Connect Secure VPNs which was used to hold stolen configuration and cache files.CitationMandiant Cutting Edge Part 2 January 2024CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1059 | Command and Scripting Interpreter | During Cutting Edge, threat actors used Perl scripts to enable the deployment of the THINSPOOL shell script dropper and for enumerating host data.CitationMandiant Cutting Edge Part 2 January 2024CitationMandiant Cutting Edge January 2024 |
| Enterprise | T1070.006 | Timestomp Sub-technique | During Cutting Edge, threat actors changed timestamps of multiple files on compromised Ivanti Secure Connect VPNs to conceal malicious activity.CitationMandiant Cutting Edge Part 2 January 2024CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1071.004 | DNS Sub-technique | During Cutting Edge, threat actors used DNS to tunnel IPv4 C2 traffic.CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1554 | Compromise Host Software Binary | During Cutting Edge, threat actors trojanized legitimate files in Ivanti Connect Secure appliances with malicious code.CitationMandiant Cutting Edge January 2024CitationVolexity Ivanti Zero-Day Exploitation January 2024CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | During Cutting Edge, threat actors used RDP with compromised credentials for lateral movement.CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1095 | Non-Application Layer Protocol | During Cutting Edge, threat actors used the Unix socket and a reverse TCP shell for C2 communications.CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1594 | Search Victim-Owned Websites | During Cutting Edge, threat actors peformed reconnaissance of victims' internal websites via proxied connections.CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1505.003 | Web Shell Sub-technique | During Cutting Edge, threat actors used multiple web shells to maintain presence on compromised Connect Secure appliances such as WIREFIRE, GLASSTOKEN, BUSHWALK, LIGHTWIRE, and FRAMESTING.CitationMandiant Cutting Edge January 2024CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | During Cutting Edge, threat actors leveraged exploits to download remote files to Ivanti Connect Secure VPNs.CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1003.003 | NTDS Sub-technique | During Cutting Edge, threat actors accessed and mounted virtual hard disk backups to extract ntds.dit.CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1572 | Protocol Tunneling | During Cutting Edge, threat actors used Iodine to tunnel IPv4 traffic over DNS.CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1190 | Exploit Public-Facing Application | During Cutting Edge, threat actors exploited CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN appliances to enable authentication bypass and command injection. A server-side request forgery (SSRF) vulnerability, CVE-2024-21893, was identified later and used to bypass mitigations for the initial two vulnerabilities by chaining with CVE-2024-21887.CitationMandiant Cutting Edge January 2024CitationVolexity Ivanti Zero-Day Exploitation January 2024CitationVolexity Ivanti Global Exploitation January 2024CitationMandiant Cutting Edge Part 2 January 2024CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | During Cutting Edge, threat actors saved collected data to a tar archive.CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1059.006 | Python Sub-technique | During Cutting Edge, threat actors used a Python reverse shell and the PySoxy SOCKS5 proxy tool.CitationVolexity Ivanti Zero-Day Exploitation January 2024CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1584.008 | Network Devices Sub-technique | During Cutting Edge, threat actors used compromised and out-of-support Cyberoam VPN appliances for C2.CitationMandiant Cutting Edge January 2024CitationVolexity Ivanti Global Exploitation January 2024 |
| Enterprise | T1005 | Data from Local System | During Cutting Edge, threat actors stole the running configuration and cache data from targeted Ivanti Connect Secure VPNs.CitationVolexity Ivanti Zero-Day Exploitation January 2024CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | During Cutting Edge, threat actors moved laterally using compromised credentials to connect to internal Windows systems with SMB.CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1082 | System Information Discovery | During Cutting Edge, threat actors used the ENUM4LINUX Perl script for discovery on Windows and Samba hosts.CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1056.003 | Web Portal Capture Sub-technique | During Cutting Edge, threat actors modified the JavaScript loaded by the Ivanti Connect Secure login page to capture credentials entered.CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | During Cutting Edge, threat actors used compromised VPN accounts for lateral movement on targeted networks.CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1056.001 | Keylogging Sub-technique | During Cutting Edge, threat actors modified a JavaScript file on the Web SSL VPN component of Ivanti Connect Secure devices to keylog credentials.CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | During Cutting Edge, threat actors used a Base64-encoded Python script to write a patched version of the Ivanti Connect Secure `dsls` binary.CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1588.002 | Tool Sub-technique | During Cutting Edge, threat actors leveraged tools including Interactsh to identify vulnerable targets, PySoxy to simultaneously dispatch traffic between multiple endpoints, BusyBox to enable post exploitation activities, and Kubo Injector to inject shared objects into process memory.CitationMandiant Cutting Edge January 2024CitationMandiant Cutting Edge Part 3 February 2024 |
Groups, software, and campaigns
S1116: WARPWIRE
WARPWIRE is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during Cutting Edge to target Ivanti Connect Secure VPNs.[1][2]
S1121: LITTLELAMB.WOOLTEA
LITTLELAMB.WOOLTEA is a backdoor that was used by UNC5325 during Cutting Edge to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.[1]
S1123: PITSTOP
PITSTOP is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during Cutting Edge to enable command execution and file read/write.[1]
S0488: CrackMapExec
CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[1]
S1115: WIREFIRE
WIREFIRE is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. WIREFIRE was used during Cutting Edge for downloading files and command execution.[1]
S1114: ZIPLINE
ZIPLINE is a passive backdoor that was used during Cutting Edge on compromised Secure Connect VPNs for reverse shell and proxy functionality.[1]
S1118: BUSHWALK
BUSHWALK is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during Cutting Edge.[1][2]
S1120: FRAMESTING
FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect Secure Python package for command execution.[1]
S0357: Impacket
S1117: GLASSTOKEN
GLASSTOKEN is a custom web shell used by threat actors during Cutting Edge to execute commands on compromised Ivanti Secure Connect VPNs.[1]
S1119: LIGHTWIRE
LIGHTWIRE is a web shell written in Perl that was used during Cutting Edge to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ac1bce4d07c1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Cutting Edge January 2024
McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
Open source URL -
[2]
Volexity Ivanti Zero-Day Exploitation January 2024
Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
Open source URL -
[3]
Volexity Ivanti Global Exploitation January 2024
Gurkok, C. et al. (2024, January 15). Ivanti Connect Secure VPN Exploitation Goes Global. Retrieved February 27, 2024.
Open source URL -
[4]
Mandiant Cutting Edge Part 2 January 2024
Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
Open source URL -
[5]
Mandiant Cutting Edge Part 3 February 2024
Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
Open source URL -
[6]
mitre-attack C0029Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.