S1154: VersaMem
VersaMem is a web shell designed for deployment to Versa Director servers following exploitation. Discovered in August 2024, VersaMem was used during Versa Director Zero Day Exploitation by Volt Typhoon to target ISPs and MSPs. VersaMem is deployed as a Java Archive (JAR) and allows for credential capture for Versa Director logon activity as well as follow-on execution of arbitrary Java payloads.[1]
Analyst context for executives and security teams
VersaMem matters because it targets Versa Director servers, a control point for SD-WAN environments, after exploitation. In the supplied ATT&CK context, it was used to capture credentials from Versa Director logon activity and enable follow-on Java payload execution during a campaign affecting MSPs and ISPs. For leaders, the business issue is not just malware on a network device: it is potential compromise of infrastructure used to administer connectivity, customer environments, or distributed operations.
Executive priority
Prioritize this as a resilience, identity, and third-party/service-provider risk question. Executives should ask whether Versa Director assets are inventoried, patched for the referenced Versa Director exploitation context, monitored for unauthorized JAR/web shell activity, and covered by incident response plans that include credential rotation and SD-WAN control-plane review. Where MSP or ISP dependencies exist, request evidence of exposure assessment, patch status, log retention, and compromise review rather than relying only on perimeter assurances.
Technical view
SOC and IR teams should validate coverage around Versa Director servers and network-device management infrastructure. ATT&CK provides no official detection text for VersaMem, so detection should be built from the object behavior and relationships: a JAR-based web shell, credential capture tied to Versa Director logon activity, arbitrary Java payload execution, encrypted or encoded files, network sniffing, credential API hooking, command/script execution, file deletion, local staging, shared module loading, and exploitation-driven execution. Treat related campaign and group context as prioritization context, not as proof of local compromise.
Likely telemetry
- Versa Director application, authentication, administrator, and web access logs
- File integrity and process telemetry on Versa Director servers, especially JAR creation, modification, loading, or deletion
- Java runtime execution logs and child process activity where available
- Network traffic metadata from Versa Director management interfaces and unusual outbound or internal connections
- Credential-use telemetry following Versa Director logons, including anomalous administrative access
Detection direction
- Confirm that Versa Director servers are in scope for centralized logging and retention; many organizations under-monitor network management appliances compared with endpoints.
- Hunt for unexpected JAR files, web-accessible artifacts, Java module loading, and unusual Java execution paths on Versa Director servers.
- Correlate authentication events with suspicious file, process, and network activity around logon periods because the supplied description highlights credential capture from Versa Director logon activity.
- Review for signs aligned to related techniques: encoded artifacts, local staging, file deletion, network sniffing behavior, and command/script interpreter use.
- Tune carefully for administrative maintenance activity, upgrades, and legitimate Java components to reduce false positives.
Mitigation priorities
- Inventory all Versa Director instances and confirm ownership, exposure, version, and patch status in relation to the supplied CVE-2024-39717 campaign context.
- Restrict administrative access to Versa Director management interfaces and validate strong authentication and least-privilege administration.
- Implement file integrity monitoring and change-control review for Versa Director application directories and deployed JAR components.
- Ensure logs needed for web access, authentication, Java execution, and administrative actions are collected before an incident occurs.
- Prepare IR playbooks for suspected Versa Director compromise, including credential rotation, session invalidation, review of SD-WAN administrative changes, and preservation of appliance/server evidence.
Analyst notes and limits
The supplied ATT&CK object identifies VersaMem as a JAR-based web shell for Versa Director servers, associated with Versa Director Zero Day Exploitation and Volt Typhoon, and linked to multiple ATT&CK techniques relevant to credential access, collection, execution, stealth, and discovery. The most defensible security value is to drive validation of monitoring and response readiness around SD-WAN management infrastructure and associated credentials.
MITRE provides no official detection guidance for this object, and the object lists Network Devices as the platform with no explicit tactics on the malware object itself. Practical detection and mitigation depend on local Versa Director deployment details, available server/appliance telemetry, log retention, patch state, and administrative workflows. The relationship context supports historical campaign and group association, not a conclusion of current activity in any specific environment.
VersaMem
VersaMem is a web shell designed for deployment to Versa Director servers following exploitation. Discovered in August 2024, VersaMem was used during Versa Director Zero Day Exploitation by Volt Typhoon to target ISPs and MSPs. VersaMem is deployed as a Java Archive (JAR) and allows for credential capture for Versa Director logon activity as well as follow-on execution of arbitrary Java payloads.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.004 | Credential API Hooking Sub-technique | VersaMem hooked and overrided Versa's built-in authentication method, `setUserPassword`, to intercept plaintext credentials when submitted to the server.CitationLumen Versa 2024 |
| Enterprise | T1203 | Exploitation for Client Execution | VersaMem was installed through exploitation of CVE-2024-39717 in Versa Director servers.CitationLumen Versa 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | VersaMem encrypted captured credentials with AES then Base64 encoded them before writing to local storage.CitationLumen Versa 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | VersaMem deleted files related to initial installation such as temporary files related to the PID of the main web process.CitationLumen Versa 2024 |
| Enterprise | T1059 | Command and Scripting Interpreter | VersaMem was delivered as a Java Archive (JAR) that runs by attaching itself to the Apache Tomcat Java servlet and web server.CitationLumen Versa 2024 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | VersaMem staged captured credentials locally at `/tmp/.temp.data`.CitationLumen Versa 2024 |
| Enterprise | T1040 | Network Sniffing | VersaMem hooked the Catalina application filter chain `doFilter` on compromised systems to monitor all inbound requests to the local Tomcat web server, inspecting them for parameters like passwords and follow-on Java modules.CitationLumen Versa 2024 |
| Enterprise | T1129 | Shared Modules | VersaMem relied on the Java Instrumentation API and Javassist to dynamically modify Java code existing in memory.CitationLumen Versa 2024 |
Groups, software, and campaigns
G1017: Volt Typhoon
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].
Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]
C0039: Versa Director Zero Day Exploitation
Versa Director Zero Day Exploitation was conducted by Volt Typhoon from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. Versa Director Zero Day Exploitation was followed by the delivery of the VersaMem web shell for both credential theft and follow-on code execution.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 5c75cdb415fa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lumen Versa 2024
Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.
Open source URL -
[2]
mitre-attack S1154Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.