S1119: LIGHTWIRE
LIGHTWIRE is a web shell written in Perl that was used during Cutting Edge to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.[1][2]
Analyst context for executives and security teams
LIGHTWIRE matters because it represents a web shell placed inside a legitimate Ivanti Secure Connect VPN component. For leaders, the key risk is not just malware on a device; it is persistent command execution on an internet-facing remote access gateway that many organizations depend on for workforce connectivity and network access.
Executive priority
Treat this as an edge-device resilience and assurance issue. Security leaders should verify whether VPN appliances are inventoried, integrity-checked, monitored, and included in incident response playbooks. Because the ATT&CK relationships tie LIGHTWIRE to web shell persistence, modified host software, web-based command and control, deobfuscation, and symmetric encryption, coverage depends on more than endpoint tooling; it requires appliance logs, network visibility, and trusted recovery procedures.
Technical view
SOC and IR teams should validate controls around Ivanti Secure Connect VPNs and similar network devices, especially the ability to detect unexpected changes to legitimate CGI components such as compcheckresult.cgi. Detection engineering should map coverage to T1505.003 Web Shell, T1554 Compromise Host Software Binary, T1071.001 Web Protocols, T1140 Deobfuscate/Decode Files or Information, and T1573.001 Symmetric Cryptography. Since MITRE provides no official detection text for LIGHTWIRE, local validation should focus on file integrity, appliance web activity, command execution evidence where available, and anomalous encrypted or web-protocol traffic involving the VPN appliance.
Likely telemetry
- VPN appliance web and administrative logs
- File integrity or vendor forensic evidence for legitimate appliance components
- HTTP/S request metadata involving the VPN appliance
- Network egress logs from the VPN appliance
- Firewall, proxy, or packet metadata for unusual web-protocol communications
Detection direction
- Confirm whether monitoring covers network devices, not only servers and endpoints.
- Baseline legitimate appliance files and investigate unexpected modification of web-accessible components.
- Review web requests to appliance CGI paths for unusual parameters, timing, source patterns, or response sizes.
- Correlate appliance-originated outbound web traffic with expected vendor and operational destinations.
- Account for encrypted or encoded content; absence of readable payloads should not be treated as absence of risk.
Mitigation priorities
- Maintain an accurate inventory of exposed VPN appliances and their software state.
- Use vendor-supported integrity checks, updates, and remediation procedures for Ivanti Secure Connect VPNs.
- Restrict administrative access and reduce unnecessary exposure of management interfaces.
- Ensure VPN appliances are included in logging, retention, backup, and incident response collection plans.
- If integrity cannot be established during an investigation, prioritize trusted rebuild or replacement over partial cleanup.
Analyst notes and limits
The most important defensive lesson is that edge appliances require the same assurance discipline as endpoints: inventory, integrity monitoring, log collection, and recovery readiness. LIGHTWIRE’s placement in a legitimate VPN component makes file change visibility and appliance-specific IR procedures especially important.
MITRE provides no official detection guidance for LIGHTWIRE, no aliases, and no tactics on the malware object itself. The supported platform is Network Devices. This take is based only on the supplied ATT&CK fields, external references, and relationships; local applicability depends on the organization’s VPN products, logging depth, and forensic access.
LIGHTWIRE
LIGHTWIRE is a web shell written in Perl that was used during Cutting Edge to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | LIGHTWIRE can use HTTP for C2 communications.CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | LIGHTWIRE can RC4 decrypt and Base64 decode C2 commands.CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1505.003 | Web Shell Sub-technique | LIGHTWIRE is a web shell capable of command execution and establishing persistence on compromised Ivanti Secure Connect VPNs.CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | LIGHTWIRE can RC4 encrypt C2 commands.CitationMandiant Cutting Edge Part 2 January 2024 |
| Enterprise | T1554 | Compromise Host Software Binary | LIGHTWIRE can imbed itself into the legitimate `compcheckresult.cgi` component of Ivanti Connect Secure VPNs to enable command execution.CitationMandiant Cutting Edge January 2024CitationMandiant Cutting Edge Part 2 January 2024 |
Groups, software, and campaigns
C0029: Cutting Edge
Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 5be9cc3de9e9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Cutting Edge Part 2 January 2024
Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
Open source URL -
[2]
Mandiant Cutting Edge January 2024
McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
Open source URL -
[3]
mitre-attack S1119Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.