S1114: ZIPLINE
ZIPLINE is a passive backdoor that was used during Cutting Edge on compromised Secure Connect VPNs for reverse shell and proxy functionality.[1]
Analyst context for executives and security teams
ZIPLINE matters because ATT&CK documents it as a passive backdoor on compromised VPN/network devices, with reverse shell and proxy functionality. For leaders, the key risk is not just malware on an endpoint; it is loss of trust in an edge access appliance that may sit in front of critical identity, remote access, and internal routing paths.
Executive priority
Prioritize validation of VPN and network-device monitoring, incident response procedures for edge appliances, and evidence that remote-access infrastructure can be investigated, isolated, and rebuilt if compromised. Because ZIPLINE is tied to the Cutting Edge campaign and compromised Secure Connect/Ivanti Connect Secure VPNs, this object is especially relevant to resilience planning around internet-facing access infrastructure and vulnerability response for network appliances.
Technical view
SOC and IR teams should treat ZIPLINE as network-device malware associated with command-and-control, stealth/persistence, discovery, execution, tool transfer, proxying, encrypted communications, and defense impairment behaviors through its ATT&CK technique relationships. Validation should focus on whether teams can observe Unix shell execution, process discovery, file and directory discovery, proxy behavior, non-application-layer or tunneled communications, ingress tool transfer, traffic signaling patterns, symmetric-encrypted C2-like traffic, and attempts to disable or modify defensive tools on supported network-device/Linux-like environments.
Likely telemetry
- VPN and network appliance system logs
- Administrative access and authentication logs for remote-access infrastructure
- Process and command execution evidence where available on appliances
- File system change and directory enumeration evidence where available
- Network flow, proxy, tunnel, and session metadata
Detection direction
- Confirm whether network devices and VPN appliances actually produce and retain sufficient logs for shell execution, process discovery, file discovery, file transfer, and configuration changes; many edge appliances have weaker telemetry than servers.
- Baseline expected VPN appliance traffic and investigate unusual proxying, traffic redirection, non-application-layer communications, or encrypted sessions inconsistent with normal appliance behavior.
- Tune detections around traffic signaling carefully, because ATT&CK describes trigger-based behavior that may not appear as a continuously open service.
- Correlate network telemetry with appliance administrative activity and file/configuration changes rather than relying on a single indicator or endpoint-style alert.
- Look for visibility gaps caused by disabled, modified, or missing security tools, logs, or sensors, consistent with the related Disable or Modify Tools technique.
Mitigation priorities
- Inventory and risk-rank internet-facing VPN and network appliances, especially remote-access infrastructure.
- Ensure vulnerability management and emergency patch procedures cover network appliances, not only endpoint and server operating systems.
- Harden administrative access, configuration management, and logging for VPN appliances and related network devices.
- Centralize and retain appliance logs and network telemetry so responders can reconstruct shell, proxy, file-transfer, and C2-like activity.
- Prepare incident response playbooks for compromised edge devices, including isolation, credential review, configuration validation, and trusted rebuild where appropriate.
Analyst notes and limits
ATT&CK provides no official detection text for ZIPLINE, so detection guidance is derived from the official description, platform field, external reference, and listed technique relationships. The most important defensive question is whether the organization has appliance-level and network-level evidence adequate to investigate a passive backdoor on remote-access infrastructure.
This take does not assert current activity, local exposure, attribution, or guaranteed detectability. The supplied object is limited to Network Devices and relationship context; local appliance models, configurations, logging capabilities, vulnerabilities, and network baselines are required for precise detection and response planning.
ZIPLINE
ZIPLINE is a passive backdoor that was used during Cutting Edge on compromised Secure Connect VPNs for reverse shell and proxy functionality.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1090 | Proxy | ZIPLINE can create a proxy server on compromised hosts.CitationMandiant Cutting Edge January 2024CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1057 | Process Discovery | ZIPLINE can identify running processes and their names.CitationMandiant Cutting Edge January 2024 |
| Enterprise | T1205 | Traffic Signaling | ZIPLINE can identify a specific string in intercepted network traffic, `SSH-2.0-OpenSSH_0.3xx.`, to trigger its command functionality.CitationMandiant Cutting Edge January 2024 |
| Enterprise | T1095 | Non-Application Layer Protocol | ZIPLINE can communicate with C2 using a custom binary protocol.CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | ZIPLINE can use AES-128-CBC to encrypt data for both upload and download.CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | ZIPLINE can use `/bin/sh` to create a reverse shell and execute commands.CitationMandiant Cutting Edge January 2024 |
| Enterprise | T1083 | File and Directory Discovery | ZIPLINE can find and append specific files on Ivanti Connect Secure VPNs based upon received commands.CitationMandiant Cutting Edge January 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | ZIPLINE can download files to be saved on the compromised system.CitationMandiant Cutting Edge January 2024CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1685 | Disable or Modify Tools | ZIPLINE can add itself to the exclusion list for the Ivanti Connect Secure Integrity Checker Tool if the `--exclude` parameter is passed by the `tar` process.CitationMandiant Cutting Edge January 2024 |
Groups, software, and campaigns
C0029: Cutting Edge
Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 28bd9e681f43… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Cutting Edge January 2024
McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
Open source URL -
[2]
mitre-attack S1114Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.