S1115: WIREFIRE

WIREFIRE is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. WIREFIRE was used during Cutting Edge for downloading files and command execution.[1]

EnterpriseS1115MalwareObject v1.1 Modified Apr 15, 2025, 19:46 UTC (UTC+00:00)

WIREFIRE matters because it is malware placed inside an internet-facing VPN appliance component, not a normal endpoint program. In ATT&CK, it is a Python web shell trojanized into the visits.py component of Ivanti Connect Secure VPN appliances and used for file download and command execution. For leaders, the key issue is whether edge remote-access infrastructure is monitored and forensically verifiable enough to prove it has not been modified.

Executive priority

Treat this as an edge-appliance resilience and assurance problem. VPN appliances often sit in front of identity, remote access, and sensitive internal services; if their software components are modified, normal endpoint controls may not see the activity. Priorities should include evidence that Ivanti Connect Secure appliances are inventoried, maintained, integrity-checked, logged, and included in incident response procedures, especially where audit or customer assurance depends on proving secure remote access operations.

Technical view

SOC and IR teams should validate coverage around Network Devices, specifically Ivanti Connect Secure appliance web components. The relationship context ties WIREFIRE to Web Shell persistence, compromised host software binaries, web-protocol command and control, ingress tool transfer, standard encoding, decoding/deobfuscation, and symmetric cryptography. Practical validation should focus on detecting unexpected changes to visits.py or related appliance components, abnormal web requests to appliance paths, command execution or file-download behavior from the appliance, and unusual outbound HTTP/S-like traffic that may be encoded or encrypted.

Likely telemetry

Ivanti Connect Secure appliance web access logs and administrative logs
File integrity or forensic comparison data for appliance components such as visits.py
Network egress telemetry from VPN appliances, especially HTTP/S or other web-protocol traffic
Evidence of file downloads or tool transfer involving the appliance
Process, command execution, or appliance diagnostic logs where available

Detection direction

Do not rely only on endpoint EDR; confirm whether VPN appliances generate logs and whether those logs are centrally retained.
Compare appliance web components against trusted baselines to identify trojanized logic or unexpected modifications.
Hunt for anomalous web-protocol traffic from the appliance, while accounting for legitimate VPN and update traffic as a false-positive source.
Look for evidence consistent with web shell behavior: unusual requests to server-side components, command execution, and file download activity.
Consider that standard encoding, deobfuscation, and symmetric cryptography relationships may reduce content-based detection value; prioritize metadata, integrity, and behavioral signals.

Mitigation priorities

Maintain a complete inventory of internet-facing VPN appliances and confirm they are in scope for monitoring, backup, and incident response.
Prioritize vendor-supported remediation and lifecycle management for Ivanti Connect Secure appliances based on local exposure and business criticality.
Implement integrity validation for appliance software components and retain clean baselines for comparison.
Restrict unnecessary administrative and network exposure for remote-access infrastructure.
Control and monitor outbound connectivity from VPN appliances where operationally feasible.

Analyst notes and limits

The strongest decision point is whether the organization can verify the integrity and behavior of network edge appliances. WIREFIRE’s relevance is amplified by its placement in a VPN appliance component and by ATT&CK relationships showing persistence, command execution support, file transfer, and web-protocol C2 patterns.

ATT&CK provides no official detection text, no aliases, no hashes or indicators, and no direct mitigation guidance for this object. The object lists Network Devices as the platform and does not specify tactics directly; tactic context is inferred only from related techniques. Local appliance version, configuration, logs, and forensic evidence are required to determine actual risk or compromise.

Official MITRE ATT&CK definition

WIREFIRE

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 7 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1140	Deobfuscate/Decode Files or Information	WIREFIRE can decode, decrypt, and decompress data received in C2 HTTP `POST` requests.CitationMandiant Cutting Edge January 2024
Enterprise	T1505.003	Web Shell Sub-technique	WIREFIRE is a web shell that can download files to and execute arbitrary commands from compromised Ivanti Connect Secure VPNs.CitationMandiant Cutting Edge January 2024
Enterprise	T1105	Ingress Tool Transfer	WIREFIRE has the ability to download files to compromised devices.CitationMandiant Cutting Edge January 2024
Enterprise	T1132.001	Standard Encoding Sub-technique	WIREFIRE can Base64 encode process output sent to C2.CitationMandiant Cutting Edge January 2024
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	WIREFIRE can AES encrypt process output sent from compromised devices to C2.CitationMandiant Cutting Edge January 2024
Enterprise	T1071.001	Web Protocols Sub-technique	WIREFIRE can respond to specific HTTP `POST` requests to `/api/v1/cav/client/visits`.CitationMandiant Cutting Edge January 2024CitationVolexity Ivanti Zero-Day Exploitation January 2024
Enterprise	T1554	Compromise Host Software Binary	WIREFIRE can modify the `visits.py` component of Ivanti Connect Secure VPNs for file download and arbitrary command execution.CitationMandiant Cutting Edge January 2024CitationVolexity Ivanti Zero-Day Exploitation January 2024

Associated objects

Groups, software, and campaigns

C0029: Cutting Edge

Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[1][2][3][4][5]

Relationship explorer

All related ATT&CK context

uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1505.003: Web Shell Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Campaign C0029: Cutting Edge Enterprise uses · Technique T1132.001: Standard Encoding Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1554: Compromise Host Software Binary Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Mar 4, 2024, 21:40 UTC (UTC+00:00)
Modified: Apr 15, 2025, 19:46 UTC (UTC+00:00)
Raw hash: 43d471242930b24d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Apr 15, 2025, 19:46 UTC (UTC+00:00)	Current bundle	`43d471242930…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Mandiant Cutting Edge January 2024

McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
Open source URL
[2]
GIFTEDVISITOR

(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)
[3]
Volexity Ivanti Zero-Day Exploitation January 2024

Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
Open source URL
[4]
mitre-attack S1115
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use