G1047: Velvet Ant
Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.[1][2]
Analyst context for executives and security teams
Velvet Ant matters because the ATT&CK entry associates the group with complex persistence, targeting of network devices and appliances, and use of zero-day exploits. For leaders, the practical issue is not just endpoint malware: visibility and recovery often depend on whether load balancers, switches, remote access services, local accounts, and security tooling are inventoried, monitored, backed up, and included in incident response plans.
Executive priority
Prioritize this as a resilience and visibility problem across infrastructure, identity, and SOC readiness. Executives should ask whether critical network appliances and external remote services have owner accountability, patch and emergency mitigation processes, configuration integrity checks, privileged/local account controls, and evidence suitable for audit or post-incident review. Budget decisions should account for appliance logging, secure administration, segmentation, and IR capability, not only traditional workstation EDR.
Technical view
ATT&CK provides no official detection text and no group-level platforms or tactics, but the relationships show behaviors defenders can validate. Coverage should include network-device and Unix-like persistence via RC scripts, local account abuse, external remote services, network sniffing, file and connection discovery, internal proxying, application-layer C2, non-standard ports, encoded or encrypted C2, Windows lateral movement and execution through SMB admin shares, WMI, service execution, DLL abuse, process injection, PlugX, and Impacket-related activity. IR teams should also validate visibility for defense impairment: modification of security tools and host or network firewall rules.
Likely telemetry
- Network appliance and switch/load balancer administrative logs, configuration change history, firmware/software version and patch state
- Remote access service authentication logs, especially privileged and local account usage
- Unix-like and network-device startup script/configuration monitoring, including rc.local or equivalent persistence locations where available
- Firewall, IDS/IPS, EDR, logging-agent, and sensor health/configuration change events
- Network flow, proxy, DNS, TLS, and packet-capture-derived metadata for application-layer C2, internal proxying, non-standard ports, and unusual encrypted or encoded traffic patterns
Detection direction
- Start by confirming telemetry exists for network devices and appliances; these are a stated focus in the ATT&CK description and are often weaker logging zones than endpoints.
- Baseline approved administrative access, configuration changes, firewall rule changes, and security-tool changes; alert on changes outside maintenance windows or from unexpected accounts/sources.
- Tune detections for SMB admin share use, WMI execution, service execution, and lateral tool transfer, while accounting for legitimate systems administration and approved testing activity.
- Monitor for Impacket-like protocol use and PlugX-related detections where available, but treat tool detections as context rather than attribution proof because both tools can be used by multiple actors.
- Correlate local account use, external remote service access, discovery commands, network connection enumeration, and C2-like traffic rather than relying on any single indicator.
Mitigation priorities
- Maintain an authoritative inventory of internet-facing remote services, network devices, appliances, and management interfaces, with accountable owners.
- Sequence patching and emergency mitigation for appliances and network devices, including processes for zero-day advisories and compensating controls when patches are not immediately available.
- Restrict and monitor administrative access to appliances, switches, servers, and remote services; reduce local account exposure and enforce strong privileged-access practices.
- Back up and integrity-check critical device configurations, startup scripts, firewall policies, and security-tool configurations so unauthorized persistence or impairment can be identified and reversed.
- Segment management networks and limit east-west administrative protocols such as SMB, WMI, and service-control paths to approved sources.
Analyst notes and limits
This take is based on the official ATT&CK group description, external reference metadata, and the listed uses relationships. The relationship set is especially important: it expands defensive validation from appliances into identity, Windows lateral movement, Unix-like persistence, C2, discovery, and defense-impairment behaviors. The Sygnia reference titles specifically mention F5 load balancers and Cisco Nexus switch devices, but the guidance above avoids assuming exposure to any specific vendor environment.
ATT&CK does not provide official detection guidance, group-level platforms, or group-level tactics for this object. Local relevance depends on the organization’s actual appliance estate, remote access architecture, logging maturity, and compensating controls. The listed tools and techniques do not prove Velvet Ant activity by themselves and should not be used for attribution without additional evidence.
Velvet Ant
Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1090.001 | Internal Proxy Sub-technique | Velvet Ant has tunneled traffic from victims through an internal, compromised host to proxy communications to command and control nodes.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1574.001 | DLL Sub-technique | Velvet Ant has used malicious DLLs executed via legitimate EXE files through DLL search order hijacking to launch follow-on payloads such as PlugX.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1132 | Data Encoding | Velvet Ant sent commands to compromised F5 BIG-IP devices in an encoded format requiring a passkey before interpretation and execution.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1047 | Windows Management Instrumentation | Velvet Ant used the `wmiexec.py` tool within Impacket for remote process execution via WMI.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Velvet Ant used a custom tool, VELVETSTING, to parse encoded inbound commands to compromised F5 BIG-IP devices and then execute them via the Unix shell.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1571 | Non-Standard Port | Velvet Ant has used random high number ports for PlugX listeners on victim devices.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1133 | External Remote Services | Velvet Ant has leveraged access to internet-facing remote services to compromise and retain access to victim environments.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1570 | Lateral Tool Transfer | Velvet Ant transferred files laterally within victim networks through the Impacket toolkit.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1040 | Network Sniffing | Velvet Ant has used a custom tool, "VELVETTAP", to perform packet capture from compromised F5 BIG-IP devices.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1083 | File and Directory Discovery | Velvet Ant has enumerated local files and folders on victim devices.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1686 | Disable or Modify System Firewall | Velvet Ant modified system firewall settings during PlugX installation using `netsh.exe` to open a listening, random high number port on victim devices.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Velvet Ant has used a reverse SSH shell to securely communicate with victim devices.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1569.002 | Service Execution Sub-technique | Velvet Ant executed and installed PlugX as a Windows service.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1049 | System Network Connections Discovery | Velvet Ant has enumerated existing network connections on victim devices.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1037.004 | RC Scripts Sub-technique | Velvet Ant used a modified `/etc/rc.local` file on compromised F5 BIG-IP devices to maintain persistence.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1685 | Disable or Modify Tools | Velvet Ant attempted to disable local security tools and endpoint detection and response (EDR) software during operations.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1055 | Process Injection | Velvet Ant initial execution included launching multiple `svchost` processes and injecting code into them.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1071 | Application Layer Protocol | Velvet Ant has used reverse SSH tunnels to communicate to victim devices.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1211 | Exploitation for Stealth | Velvet Ant exploited CVE-2024-20399 in Cisco Switches to which the threat actor was already able to authenticate in order to escape the NX-OS command line interface and gain access to the underlying operating system for arbitrary command execution.CitationSygnia VelvetAnt 2024B |
| Enterprise | T1078.003 | Local Accounts Sub-technique | Velvet Ant accessed vulnerable Cisco switch devices using accounts with administrator privileges.CitationSygnia VelvetAnt 2024B |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Velvet Ant used a malicious DLL, `iviewers.dll`, that mimics the legitimate "OLE/COM Object Viewer" within Windows.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Velvet Ant has transferred tools within victim environments using SMB.CitationSygnia VelvetAnt 2024A |
Groups, software, and campaigns
S0013: PlugX
S0357: Impacket
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4e548399b719… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Sygnia VelvetAnt 2024A
Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.
Open source URL -
[2]
Sygnia VelvetAnt 2024B
Sygnia Team. (2024, July 1). China-Nexus Threat Group ‘Velvet Ant’ Exploits Cisco Zero-Day (CVE-2024-20399) to Compromise Nexus Switch Devices – Advisory for Mitigation and Response. Retrieved March 14, 2025.
Open source URL -
[3]
mitre-attack G1047Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.