S1117: GLASSTOKEN
GLASSTOKEN is a custom web shell used by threat actors during Cutting Edge to execute commands on compromised Ivanti Secure Connect VPNs.[1]
Analyst context for executives and security teams
GLASSTOKEN matters because it represents a custom web shell used to run commands on compromised Ivanti Secure Connect VPN appliances. For leaders, the key issue is not the malware name itself; it is that an internet-facing network security appliance can become a persistence and execution point if compromised. That creates business risk around remote access integrity, incident containment, and confidence in perimeter device monitoring.
Executive priority
Prioritize validation of externally exposed VPN appliance security, logging, and incident response playbooks. The ATT&CK context ties GLASSTOKEN to the Cutting Edge campaign and compromised Ivanti Secure Connect VPNs, so decision-makers should ask whether network devices are included in vulnerability management, evidence collection, managed detection scope, and breach containment planning. This is especially important where VPN availability and trust are critical to workforce access, regulated access controls, or operational continuity.
Technical view
SOC and IR teams should treat GLASSTOKEN as a network-device web shell concern associated with command execution. ATT&CK relationships indicate use of Web Shell, PowerShell, Standard Encoding, and Deobfuscate/Decode Files or Information techniques. Validate whether Ivanti Secure Connect VPN appliance logs, web request records, administrative activity, file integrity evidence, command execution artifacts, and downstream Windows PowerShell telemetry are available and retained. Because ATT&CK provides no official detection text for this malware, detection engineering should be based on local appliance behavior, web shell technique coverage, encoded C2-like traffic patterns, and post-compromise command execution evidence rather than a single named signature.
Likely telemetry
- VPN appliance web access and administrative logs
- Network device configuration and file integrity evidence
- HTTP request metadata to externally exposed appliance interfaces
- Authentication and session records for remote access infrastructure
- PowerShell execution logs from downstream Windows systems where available
Detection direction
- Confirm whether network devices, especially VPN appliances, are actually covered by SOC ingestion and retention; many environments monitor endpoints better than appliances.
- Develop detections around web shell behavior on internet-facing devices, including suspicious web requests, unexpected files, and command execution indicators where appliance telemetry permits.
- Correlate appliance activity with downstream PowerShell execution rather than assuming the web shell activity will be visible only on the VPN device.
- Review for standard encoding and decode/deobfuscation patterns in traffic and command content, while tuning carefully because encoding is common in legitimate protocols and administration.
- Use the Cutting Edge relationship as threat-intelligence context for prioritization, not as proof of attribution or exposure in a specific environment.
Mitigation priorities
- Place externally exposed VPN appliances under the same vulnerability management and emergency patch governance as servers and endpoints.
- Ensure appliance logging, configuration backup, and forensic collection procedures are documented before an incident.
- Restrict and monitor administrative access to VPN infrastructure and validate least-privilege operating practices.
- Include web shell response procedures in IR playbooks, including isolation, credential review, and downstream host investigation.
- Validate compensating monitoring for network devices where endpoint agents cannot be deployed.
Analyst notes and limits
MITRE identifies GLASSTOKEN as a custom web shell used during Cutting Edge to execute commands on compromised Ivanti Secure Connect VPNs. The most useful defensive takeaway is to test whether appliance monitoring, web shell detection, and downstream command-execution correlation are operationally mature. The relationship to PowerShell suggests defenders should not stop at appliance logs; they should also examine Windows execution telemetry where the appliance may have been used as a pivot point.
ATT&CK provides no official detection guidance for GLASSTOKEN, no aliases, and no explicit tactics on the malware object. The platform field is limited to Network Devices, while some related techniques apply to other platforms. Local product versions, exposure, logging configuration, and forensic evidence are required before making any claim about compromise, coverage, or impact.
GLASSTOKEN
GLASSTOKEN is a custom web shell used by threat actors during Cutting Edge to execute commands on compromised Ivanti Secure Connect VPNs.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.001 | PowerShell Sub-technique | GLASSTOKEN can use PowerShell for command execution.CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | GLASSTOKEN has the ability to decode hexadecimal and Base64 C2 requests.CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1505.003 | Web Shell Sub-technique | GLASSTOKEN is a web shell capable of tunneling C2 connections and code execution on compromised Ivanti Secure Connect VPNs.CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | GLASSTOKEN has hexadecimal and Base64 encoded C2 content.CitationVolexity Ivanti Zero-Day Exploitation January 2024 |
Groups, software, and campaigns
C0029: Cutting Edge
Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | e38707c09c8e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Volexity Ivanti Zero-Day Exploitation January 2024
Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
Open source URL -
[2]
mitre-attack S1117Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.