S1121: LITTLELAMB.WOOLTEA

LITTLELAMB.WOOLTEA is a backdoor that was used by UNC5325 during Cutting Edge to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.[1]

EnterpriseS1121MalwareObject v1.1 Modified Apr 15, 2025, 19:46 UTC (UTC+00:00)

LITTLELAMB.WOOLTEA matters because it is described as a backdoor used against Ivanti Connect Secure VPN appliances to deploy malware and maintain persistence across upgrades and patches. For leaders, the key issue is not just malware removal; it is whether edge network devices can be trusted after compromise, whether upgrades actually cleared persistence, and whether the organization has enough appliance telemetry to prove it.

Executive priority

Prioritize this as an edge-device resilience and incident-response readiness issue. VPN appliances sit in a high-trust position for remote access, identity-adjacent access, and network ingress. Executives should ask whether Ivanti Connect Secure assets are inventoried, patched, forensically reviewable, and covered by monitoring that can detect persistence, proxying, unusual command-and-control, and post-upgrade re-compromise indicators. This also supports audit and compliance evidence around vulnerability response, privileged access pathways, and incident containment decisions.

Technical view

ATT&CK provides no standalone detection text for LITTLELAMB.WOOLTEA, so SOC and IR teams should validate coverage through the related behaviors: System Information Discovery, File and Directory Discovery, Proxy, Non-Application Layer Protocol, Create or Modify System Process, Compromise Host Software Binary, and Asymmetric Cryptography. For Network Devices, focus on appliance integrity, unexpected file or directory enumeration, modified binaries or startup mechanisms, unexplained services/process changes where observable, and abnormal outbound or tunneled traffic from VPN infrastructure. Because the description highlights persistence across upgrades and patches, post-upgrade validation should include integrity review and not rely on patch status alone.

Likely telemetry

Ivanti Connect Secure appliance logs and administrative activity records
Network device configuration and integrity evidence
File system change evidence from the appliance where available
Process, service, or startup mechanism evidence where available from the device or forensic collection
Outbound network flow records from VPN appliances

Detection direction

Confirm whether monitoring covers VPN appliances as first-class assets, not only endpoints and servers.
Baseline expected outbound communications from VPN infrastructure and investigate unusual proxying, tunneling, or non-standard protocol use.
Review appliance file integrity and binary integrity before and after upgrades, especially where persistence across patches is a concern.
Tune detections around discovery behavior cautiously because legitimate administration may enumerate system and file information; prioritize suspicious timing, source, destination, and association with other persistence or C2 signals.
Correlate network-device events with vulnerability management timelines and incident response findings from the Cutting Edge context rather than treating patch completion as proof of eradication.

Mitigation priorities

Maintain a current inventory of Ivanti Connect Secure and other internet-facing network devices, including version, patch, and upgrade history.
Apply vendor-supported patches and upgrades, but pair them with integrity and compromise assessment because the supplied description notes persistence across upgrades and patches.
Restrict administrative access to VPN appliances and review privileged administrative activity.
Limit and monitor outbound connectivity from VPN appliances to reduce unreviewed command-and-control and proxy paths.
Use vendor-supported forensic guidance and incident response procedures for suspected appliance compromise rather than relying only on endpoint tooling.

Analyst notes and limits

The most decision-relevant point is persistence on a trusted edge network device. The related ATT&CK techniques suggest discovery, persistence, binary modification, proxying, encrypted C2, and non-application-layer communications, but ATT&CK does not provide object-specific detection logic. Glexia would treat this as a validation exercise across vulnerability management, edge-device monitoring, IR collection, and network egress controls.

This take is limited to the supplied ATT&CK fields, external reference metadata, and relationships. No official detection text, aliases, labels, or malware-specific indicators were provided. Local device models, firmware versions, logging capability, network architecture, and incident evidence are required to determine actual exposure or detection coverage.

Official MITRE ATT&CK definition

LITTLELAMB.WOOLTEA

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 7 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1095	Non-Application Layer Protocol	LITTLELAMB.WOOLTEA can function as a stand-alone backdoor communicating over the `/tmp/clientsDownload.sock` socket.CitationMandiant Cutting Edge Part 3 February 2024
Enterprise	T1090	Proxy	LITTLELAMB.WOOLTEA has the ability to function as a SOCKS proxy.CitationMandiant Cutting Edge Part 3 February 2024
Enterprise	T1573.002	Asymmetric Cryptography Sub-technique	LITTLELAMB.WOOLTEA can communicate over SSL using the private key from the Ivanti Connect Secure web server.CitationMandiant Cutting Edge Part 3 February 2024
Enterprise	T1554	Compromise Host Software Binary	LITTLELAMB.WOOLTEA can append malicious components to the `tmp/tmpmnt/bin/samba_upgrade.tar` archive inside the factory reset partition in attempt to persist post reset.CitationMandiant Cutting Edge Part 3 February 2024
Enterprise	T1543	Create or Modify System Process	LITTLELAMB.WOOLTEA can initialize itself as a daemon to run persistently in the background.CitationMandiant Cutting Edge Part 3 February 2024
Enterprise	T1083	File and Directory Discovery	LITTLELAMB.WOOLTEA can monitor for system upgrade events by checking for the presence of `/tmp/data/root/dev`.CitationMandiant Cutting Edge Part 3 February 2024
Enterprise	T1082	System Information Discovery	LITTLELAMB.WOOLTEA can check the type of Ivanti VPN device it is running on by executing `first_run()` to identify the first four bytes of the motherboard serial number.CitationMandiant Cutting Edge Part 3 February 2024

Associated objects

Groups, software, and campaigns

C0029: Cutting Edge

Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[1][2][3][4][5]

Relationship explorer

All related ATT&CK context

uses · Technique T1095: Non-Application Layer Protocol Enterprise uses · Technique T1090: Proxy Enterprise uses · Campaign C0029: Cutting Edge Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Technique T1554: Compromise Host Software Binary Enterprise uses · Technique T1543: Create or Modify System Process Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1082: System Information Discovery Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Mar 13, 2024, 18:41 UTC (UTC+00:00)
Modified: Apr 15, 2025, 19:46 UTC (UTC+00:00)
Raw hash: 04c4d8f10ad7a24d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Apr 15, 2025, 19:46 UTC (UTC+00:00)	Current bundle	`04c4d8f10ad7…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Mandiant Cutting Edge Part 3 February 2024

Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
Open source URL
[2]
mitre-attack S1121
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use