Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1120: FRAMESTING

FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect Secure Python package for command execution.[1]

EnterpriseS1120MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

FRAMESTING matters because it represents a Python web shell embedded into an Ivanti Connect Secure Python package for command execution. For leaders, the practical issue is not just “malware on a VPN appliance,” but whether security teams can validate integrity, logging, and response readiness for network devices that often sit at the edge of the business and are trusted for remote access.

Executive priority

Prioritize this as an edge-device resilience and incident-readiness concern. The ATT&CK context links FRAMESTING to the Cutting Edge campaign involving exploitation of Ivanti Connect Secure VPN appliances, so executives should ask whether VPN/network device monitoring, software integrity checks, emergency patch processes, and forensic collection plans are mature enough to support rapid decisions during a suspected appliance compromise.

Technical view

SOC and IR teams should validate visibility around Network Devices, especially web-facing appliance behavior, Python package integrity, command execution indicators, and HTTP/S-based command-and-control patterns. Relationship context maps FRAMESTING to Web Shell, Python execution, Web Protocols, Data Obfuscation, Protocol or Service Impersonation, Deobfuscate/Decode Files or Information, and Compromise Host Software Binary. Because ATT&CK provides no official detection text for this malware, detection engineering should be built from local appliance logs, network telemetry, file/package integrity evidence, and known-good baselines rather than assuming endpoint-style coverage exists.

Likely telemetry

  • VPN or network appliance system and application logs
  • Web request and HTTP/S traffic metadata involving the appliance
  • File integrity or package integrity evidence for appliance software components
  • Administrative access and configuration change logs
  • Network flow records for unusual outbound web-protocol communications

Detection direction

  • Confirm whether the SOC collects and retains logs from Ivanti Connect Secure or comparable network devices; many environments have weaker telemetry on appliances than on servers or endpoints.
  • Tune for suspicious web shell behavior on network devices, including unexpected command execution paths and anomalous web requests, while accounting for legitimate administrative and maintenance activity.
  • Validate whether network monitoring can identify unusual HTTP/S patterns, protocol impersonation, or obfuscated command-and-control behavior without relying solely on payload inspection.
  • Compare appliance software packages and Python components against trusted baselines where supported by the vendor and environment.
  • Use the Cutting Edge campaign relationship as threat-intelligence context for prioritization, not as proof of current compromise.

Mitigation priorities

  • Inventory exposed VPN and network appliances and confirm ownership, logging, backup, and emergency response procedures.
  • Maintain vendor-supported patch and upgrade processes for edge appliances, with executive visibility into exceptions and delays.
  • Implement integrity validation or configuration baselining for appliance software and packages where supported.
  • Restrict and monitor administrative access to network devices, including change control and privileged activity review.
  • Prepare IR playbooks for appliance compromise, including evidence preservation, containment, rebuild/reimage decision points, and communications to business owners.
Analyst notes and limits

FRAMESTING is documented by ATT&CK as a Python web shell used during Cutting Edge to embed into an Ivanti Connect Secure Python package for command execution. The most decision-useful relationships are persistence through web shell and compromised host software, execution through Python, and command-and-control over web protocols with obfuscation or protocol impersonation context.

ATT&CK provides no official detection guidance for FRAMESTING and lists the object platform only as Network Devices. Local product versions, appliance logging capabilities, vendor guidance, and environment-specific baselines are required before determining exposure, detection coverage, or response actions.

Official MITRE ATT&CK definition

FRAMESTING

FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect Secure Python package for command execution.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

7 rows
Domain ID Name Relationship / procedure
Enterprise T1001.003 Protocol or Service Impersonation Sub-technique

FRAMESTING uses a cookie named `DSID` to mimic the name of a cookie used by Ivanti Connect Secure appliances for maintaining VPN sessions.CitationMandiant Cutting Edge Part 2 January 2024
Enterprise T1071.001 Web Protocols Sub-technique

FRAMESTING can retrieve C2 commands from values stored in the `DSID` cookie from the current HTTP request or from decompressed zlib data within the request's `POST` data.CitationMandiant Cutting Edge Part 2 January 2024
Enterprise T1505.003 Web Shell Sub-technique

FRAMESTING is a web shell capable of enabling arbitrary command execution on compromised Ivanti Connect Secure VPNs.CitationMandiant Cutting Edge Part 2 January 2024
Enterprise T1059.006 Python Sub-technique

FRAMESTING is a Python web shell that can embed in the Ivanti Connect Secure CAV Python package.CitationMandiant Cutting Edge Part 2 January 2024
Enterprise T1001 Data Obfuscation

FRAMESTING can send and receive zlib compressed data within `POST` requests.CitationMandiant Cutting Edge Part 2 January 2024
Enterprise T1140 Deobfuscate/Decode Files or Information

FRAMESTING can decompress data received within `POST` requests.CitationMandiant Cutting Edge Part 2 January 2024
Enterprise T1554 Compromise Host Software Binary

FRAMESTING can embed itself in the CAV Python package of an Ivanti Connect Secure VPN located in `/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py.`CitationMandiant Cutting Edge Part 2 January 2024
Associated objects

Groups, software, and campaigns

Campaign Enterprise

C0029: Cutting Edge

Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[1][2][3][4][5]

Relationship explorer

All related ATT&CK context

uses · Technique T1001.003: Protocol or Service Impersonation Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1505.003: Web Shell Enterprise uses · Campaign C0029: Cutting Edge Enterprise uses · Technique T1059.006: Python Enterprise uses · Technique T1001: Data Obfuscation Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1554: Compromise Host Software Binary Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
8c7ed95eca0dc53d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 8c7ed95eca0d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Mandiant Cutting Edge Part 2 January 2024

    Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.

    Open source URL
  2. [2]
    mitre-attack S1120
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use