Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1116: WARPWIRE

WARPWIRE is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during Cutting Edge to target Ivanti Connect Secure VPNs.[1][2]

EnterpriseS1116MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

WARPWIRE matters because it targets the login path of a VPN appliance: it is described as JavaScript malware that steals plaintext usernames and passwords from Ivanti Connect Secure VPNs. For leaders, the key risk is not just malware on a network device; it is loss of trust in a remote-access front door, where stolen credentials can undermine incident containment, identity assurance, and business continuity.

Executive priority

Prioritize WARPWIRE as an edge-device and identity risk. The ATT&CK relationships connect it to web portal credential capture, JavaScript execution, persistence through host software modification, encoded communications, and exfiltration over unencrypted non-C2 protocols. Security leaders should ask whether VPN appliances are covered by asset ownership, logging, integrity monitoring, incident response playbooks, credential reset procedures, and evidence collection suitable for audit or post-incident review.

Technical view

SOC and IR teams should validate visibility around Network Devices, especially externally facing VPN portals. ATT&CK does not provide an official detection section for WARPWIRE, so coverage should be built from the related behaviors: unexpected JavaScript or portal content changes, modified host software components, credential capture indicators in web portal flows, encoded outbound data, and unencrypted outbound transfer paths. Because WARPWIRE is tied to Cutting Edge and Ivanti Connect Secure targeting in the supplied description, responders should treat suspicious VPN appliance changes as both an edge compromise and an identity compromise until local evidence proves otherwise.

Likely telemetry

  • VPN appliance configuration and integrity data
  • Web portal files, JavaScript content, and change history
  • Authentication logs for VPN user login attempts
  • Network egress logs from VPN appliances
  • HTTP, FTP, DNS, or other unencrypted protocol metadata where collected

Detection direction

  • Baseline expected VPN portal content and alert on unauthorized JavaScript or login page modifications.
  • Review outbound traffic from VPN appliances for unusual destinations, unencrypted exfiltration paths, or encoded payload patterns, while accounting for normal appliance update and telemetry behavior.
  • Correlate suspicious portal changes with authentication events, especially successful logins following possible credential capture windows.
  • Validate whether network devices are actually represented in SIEM, EDR-adjacent logging, NDR, vulnerability management, and IR collection workflows; many environments have blind spots on appliances.
  • Tune carefully because standard encoding and JavaScript are common in legitimate web applications; focus on unexpected placement, timing, destination, and appliance integrity changes.

Mitigation priorities

  • Establish clear ownership and patch/configuration governance for externally facing VPN appliances.
  • Maintain vendor-supported integrity checks or trusted baselines for VPN portal files and host software components.
  • Limit and monitor administrative access to VPN appliances, including change control evidence.
  • Prepare identity response actions for suspected portal credential capture, including credential resets and session/token review where applicable.
  • Ensure network egress controls and logging cover VPN appliances, not only user endpoints and servers.
Analyst notes and limits

The supplied ATT&CK object identifies WARPWIRE as a JavaScript credential stealer used during Cutting Edge to target Ivanti Connect Secure VPNs. The most useful defensive interpretation is to combine network-device monitoring with identity incident response, because the malware’s value comes from harvesting plaintext VPN credentials at the portal.

MITRE does not provide an official detection section, aliases, labels, or tactics directly on this malware object. The guidance above is derived from the official description, external references, platform field, and ATT&CK relationships to techniques. Local appliance versions, logging capabilities, vendor tooling, and retained forensic evidence are required to determine exposure or detection coverage.

Official MITRE ATT&CK definition

WARPWIRE

WARPWIRE is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during Cutting Edge to target Ivanti Connect Secure VPNs.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1554 Compromise Host Software Binary

WARPWIRE can embed itself into a legitimate file on compromised Ivanti Connect Secure VPNs.CitationMandiant Cutting Edge January 2024
Enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique

WARPWIRE can send captured credentials to C2 via HTTP `GET` or `POST` requests.CitationMandiant Cutting Edge January 2024CitationMandiant Cutting Edge Part 2 January 2024
Enterprise T1059.007 JavaScript Sub-technique

WARPWIRE is a credential harvester written in JavaScript.CitationMandiant Cutting Edge January 2024
Enterprise T1056.003 Web Portal Capture Sub-technique

WARPWIRE can capture credentials submitted during the web logon process in order to access layer seven applications such as RDP.CitationMandiant Cutting Edge January 2024
Enterprise T1132.001 Standard Encoding Sub-technique

WARPWIRE can Base64 encode captured credentials with `btoa()` prior to sending to C2.CitationMandiant Cutting Edge January 2024
Associated objects

Groups, software, and campaigns

Campaign Enterprise

C0029: Cutting Edge

Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[1][2][3][4][5]

Relationship explorer

All related ATT&CK context

uses · Technique T1554: Compromise Host Software Binary Enterprise uses · Technique T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol Enterprise uses · Campaign C0029: Cutting Edge Enterprise uses · Technique T1059.007: JavaScript Enterprise uses · Technique T1056.003: Web Portal Capture Enterprise uses · Technique T1132.001: Standard Encoding Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
95ee7f94bcb1d97a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 95ee7f94bcb1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Mandiant Cutting Edge January 2024

    McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.

    Open source URL
  2. [2]
    Mandiant Cutting Edge Part 2 January 2024

    Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.

    Open source URL
  3. [3]
    mitre-attack S1116
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use