S1118: BUSHWALK
BUSHWALK is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during Cutting Edge.[1][2]
Analyst context for executives and security teams
BUSHWALK matters because it represents a web shell placed inside a legitimate CGI file on compromised Ivanti Connect Secure VPN appliances. For leaders, the key issue is not just malware on a network device; it is persistence on a remote access gateway that may sit at the boundary of identity, access, and business connectivity. If VPN appliance integrity, web file monitoring, and appliance incident response procedures are weak, this type of behavior can undermine confidence in remote access operations and post-incident recovery.
Executive priority
Treat this as a control-validation item for externally exposed network devices, especially Ivanti Connect Secure environments. Executives should ask whether the organization can prove appliance software integrity, collect usable VPN/web logs, preserve forensic evidence from appliances, and validate remediation after suspected compromise. Because ATT&CK provides no detection guidance for this object, priority should go to readiness: asset inventory, emergency patch and rebuild procedures, log retention, and clear incident decision criteria for when a VPN appliance must be isolated, rebuilt, or replaced.
Technical view
BUSHWALK is described as a Perl web shell inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during the Cutting Edge campaign. Relationship context links it to Web Shell, Compromise Host Software Binary, Obfuscated Files or Information, Deobfuscate/Decode Files or Information, Traffic Signaling, and Ingress Tool Transfer. SOC and IR teams should validate whether they can detect unexpected changes to appliance CGI/application files, suspicious requests to modified web endpoints, encoded or obfuscated content, unusual inbound trigger patterns, and outbound file/tool transfer activity from the VPN appliance. Detection should be appliance-aware: standard endpoint agents may not exist on these devices, so coverage often depends on vendor logs, web access logs, network telemetry, configuration backups, file integrity evidence, and forensic collection procedures.
Likely telemetry
- Ivanti Connect Secure appliance logs and administrative event records
- Web access logs for CGI endpoints, especially querymanifest.cgi where available
- Network traffic metadata to and from VPN appliances
- File integrity or firmware/software integrity evidence for appliance web/application files
- Configuration backups and known-good baselines for VPN appliances
Detection direction
- Validate whether logging is enabled and retained for externally exposed VPN appliances; do not assume EDR coverage exists on network devices.
- Baseline legitimate appliance files and investigate unexpected modification of CGI or web-accessible files, especially changes to legitimate files rather than creation of obviously malicious names.
- Correlate suspicious web requests with appliance file changes, unusual outbound transfers, and possible traffic-signaling patterns.
- Look for encoded, compressed, encrypted, or otherwise obfuscated content where appliance logs and network telemetry permit inspection.
- Tune detections to reduce false positives from legitimate administrative maintenance, vendor updates, and health checks by comparing against approved change windows and vendor guidance.
Mitigation priorities
- Maintain a current inventory of internet-facing VPN and network appliances and their software versions.
- Prioritize vendor-directed patching, mitigation, and integrity-check guidance for Ivanti Connect Secure appliances where applicable.
- Establish known-good configuration and file baselines so appliance tampering can be identified during incidents.
- Restrict administrative access to VPN appliances and monitor administrative changes.
- Ensure network egress controls and monitoring apply to VPN appliances, not only user endpoints and servers.
Analyst notes and limits
The most important defensive lesson is that perimeter appliances need security monitoring and recovery plans comparable to servers, even when they cannot run normal endpoint tooling. The relationships to web shell persistence, host software modification, obfuscation, traffic signaling, and tool transfer suggest defenders should validate both file integrity and network behavior, not rely on a single indicator.
The ATT&CK object does not provide an official detection section, aliases, labels, or object-level tactics. Details are limited to BUSHWALK being a Perl web shell inserted into querymanifest.cgi on compromised Ivanti Connect Secure VPNs during Cutting Edge, plus the listed ATT&CK technique relationships and external references. Local appliance version, logging, vendor advisories, and forensic evidence are required to determine exposure or compromise.
BUSHWALK
BUSHWALK is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during Cutting Edge.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | BUSHWALK can write malicious payloads sent through a web request’s command parameter.CitationMandiant Cutting Edge Part 2 January 2024CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1205 | Traffic Signaling | BUSHWALK can modify the `DSUserAgentCap.pm` Perl module on Ivanti Connect Secure VPNs and either activate or deactivate depending on the value of the user agent in incoming HTTP requests.CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1505.003 | Web Shell Sub-technique | BUSHWALK is a web shell that has the ability to execute arbitrary commands or write files.CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1554 | Compromise Host Software Binary | BUSHWALK can embed into the legitimate `querymanifest.cgi` file on compromised Ivanti Connect Secure VPNs.CitationMandiant Cutting Edge Part 2 January 2024CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | BUSHWALK can Base64 decode and RC4 decrypt malicious payloads sent through a web request’s command parameter.CitationMandiant Cutting Edge Part 2 January 2024CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1027 | Obfuscated Files or Information | BUSHWALK can encrypt the resulting data generated from C2 commands with RC4.CitationMandiant Cutting Edge Part 2 January 2024 |
Groups, software, and campaigns
C0029: Cutting Edge
Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 7bddc3411660… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Cutting Edge Part 2 January 2024
Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
Open source URL -
[2]
Mandiant Cutting Edge Part 3 February 2024
Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
Open source URL -
[3]
mitre-attack S1118Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.