Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1184: BOLDMOVE

BOLDMOVE is a type of backdoor malware written in C linked to People’s Republic of China operations from 2022 through 2023. BOLDMOVE includes both Windows and Linux variants, with some Linux variants specifically designed for FortiGate Firewall devices. BOLDMOVE is linked to zero-day exploitation of CVE-2022-42475 in FortiOSS SSL-VPNs.[1] The record for BOLDMOVE only covers known Linux variants.

EnterpriseS1184MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

BOLDMOVE matters because it is a backdoor record focused on Linux variants, including variants designed for FortiGate firewall devices. For leaders, the practical issue is not just malware on a server; it is potential compromise of an internet-facing network security device, where normal endpoint controls may be weak and business connectivity, remote access, and boundary visibility can be affected.

Executive priority

Prioritize BOLDMOVE as an edge-device and Linux visibility problem. The supplied ATT&CK context links it to exploitation of CVE-2022-42475 in FortiOS SSL-VPNs and behaviors spanning initial access, discovery, persistence, defense impairment, and command-and-control. Executives should ask whether exposed VPN/firewall assets are inventoried, patched, centrally logged, monitored for configuration and binary changes, and covered by incident response procedures that assume limited endpoint telemetry on appliances.

Technical view

ATT&CK provides no official detection text for BOLDMOVE, so defenders should validate coverage through the related techniques. Focus on Linux and network-device evidence for public-facing application exploitation, Unix shell execution, system and network discovery, file and directory enumeration, file deletion, persistence via system process changes or host binary compromise, ignored process interrupts, defense tool tampering, and web-based encrypted command-and-control potentially routed through multi-hop proxies. Treat administrative activity on firewalls and Linux hosts as a major false-positive source; detections need asset context, change windows, known admin sources, and baseline egress patterns.

Likely telemetry

  • Internet-facing asset inventory and vulnerability/exposure records for FortiOS SSL-VPN and other relevant public-facing services
  • Firewall/VPN system, authentication, administrative, and crash or error logs where available
  • Linux process execution, shell history or command audit logs, and service/init configuration changes
  • File integrity or configuration monitoring for appliance and Linux system binaries, startup locations, and security tool configuration files
  • Network egress metadata for HTTP/S or other web protocol traffic from network devices and Linux systems

Detection direction

  • Because MITRE supplies no BOLDMOVE-specific detection guidance, build detections from the mapped behaviors rather than a single malware signature.
  • Validate alerting for exploitation attempts or suspicious post-exploitation activity on internet-facing VPN/firewall services, especially where CVE-2022-42475 exposure is relevant.
  • Tune for unusual Unix shell execution, discovery commands, file enumeration, and deletion on Linux systems and network appliances, while suppressing known maintenance activity only with strong change-control evidence.
  • Monitor for persistence indicators such as new or modified system processes, altered service definitions, and unexpected changes to host software binaries.
  • Correlate web-protocol outbound traffic from edge devices with device role, destination reputation, frequency, encryption characteristics, and whether the device normally initiates such traffic.

Mitigation priorities

  • Maintain an authoritative inventory of internet-facing VPN, firewall, and Linux assets, including firmware/software versions and exposure status.
  • Prioritize vendor remediation and vulnerability management for CVE-2022-42475 where FortiOS SSL-VPN exposure exists, and verify remediation evidence for audit and risk reporting.
  • Restrict and monitor management access to network devices; separate administrative access paths from general internet exposure where feasible.
  • Centralize device and Linux logs to reduce loss of evidence if files are deleted or local logging is impaired.
  • Use configuration and file integrity baselines for critical network devices and Linux hosts so unauthorized service, binary, or security-tool changes can be investigated quickly.
Analyst notes and limits

The supplied ATT&CK object identifies BOLDMOVE as C backdoor malware associated with PRC-linked operations from 2022 through 2023 and linked to zero-day exploitation of CVE-2022-42475, but this take does not infer current exploitation or local exposure. The business value is in using the object to test whether edge-device security, Linux telemetry, vulnerability prioritization, and incident response evidence are mature enough for a low-visibility appliance compromise scenario.

The official ATT&CK object has no detection section, no tactics listed directly on the malware object, and states that the record only covers known Linux variants. Technique relationships provide behavioral context but not environment-specific indicators, signatures, or guaranteed detection logic. Local asset inventory, patch state, device logging capability, and network baselines are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

BOLDMOVE

BOLDMOVE is a type of backdoor malware written in C linked to People’s Republic of China operations from 2022 through 2023. BOLDMOVE includes both Windows and Linux variants, with some Linux variants specifically designed for FortiGate Firewall devices. BOLDMOVE is linked to zero-day exploitation of CVE-2022-42475 in FortiOSS SSL-VPNs.[1] The record for BOLDMOVE only covers known Linux variants.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

14 rows
Domain ID Name Relationship / procedure
Enterprise T1059.004 Unix Shell Sub-technique

BOLDMOVE is capable of spawning a remote command shell.CitationGoogle Cloud BOLDMOVE 2023
Enterprise T1564.011 Ignore Process Interrupts Sub-technique

BOLDMOVE calls the signal function to ignore the signals SIGCHLD, SIGHIP, and SIGPIPE prior to starting primary logic.CitationGoogle Cloud BOLDMOVE 2023
Enterprise T1543 Create or Modify System Process

BOLDMOVE can free all resources and terminate itself on victim machines.CitationGoogle Cloud BOLDMOVE 2023
Enterprise T1083 File and Directory Discovery

BOLDMOVE can list information of all files in the system recursively from the root directory or from a specified directory.CitationGoogle Cloud BOLDMOVE 2023
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

BOLDMOVE uses the WolfSSL library to implement SSL encryption for command and control communication.CitationGoogle Cloud BOLDMOVE 2023
Enterprise T1554 Compromise Host Software Binary

BOLDMOVE contains a watchdog-like feature that monitors a particular file for modification. If modification is detected, the legitimate file is backed up and replaced with a trojanized file to allow for persistence through likely system upgrades.CitationGoogle Cloud BOLDMOVE 2023
Enterprise T1016 System Network Configuration Discovery

BOLDMOVE enumerates network interfaces on the infected host.CitationGoogle Cloud BOLDMOVE 2023
Enterprise T1190 Exploit Public-Facing Application

BOLDMOVE is associated with exploitation of CVE-2022-49475 in FortiOS.CitationGoogle Cloud BOLDMOVE 2023
Enterprise T1070.004 File Deletion Sub-technique

BOLDMOVE can remove files on victim systems.CitationGoogle Cloud BOLDMOVE 2023
Enterprise T1071.001 Web Protocols Sub-technique

BOLDMOVE uses web services for command and control communication.CitationGoogle Cloud BOLDMOVE 2023
Enterprise T1082 System Information Discovery

BOLDMOVE performs system survey actions following initial execution.CitationGoogle Cloud BOLDMOVE 2023
Enterprise T1685 Disable or Modify Tools

BOLDMOVE can disable the Fortinet daemons `moglogd` and `syslogd` to evade detection and logging.CitationGoogle Cloud BOLDMOVE 2023
Enterprise T1480 Execution Guardrails

BOLDMOVE verifies it is executing from a specific path during execution.CitationGoogle Cloud BOLDMOVE 2023
Enterprise T1090.003 Multi-hop Proxy Sub-technique

BOLDMOVE is capable of relaying traffic from command and control servers to follow-on systems.CitationGoogle Cloud BOLDMOVE 2023
Relationship explorer

All related ATT&CK context

uses · Technique T1059.004: Unix Shell Enterprise uses · Technique T1564.011: Ignore Process Interrupts Enterprise uses · Technique T1543: Create or Modify System Process Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Technique T1554: Compromise Host Software Binary Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1190: Exploit Public-Facing Application Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise uses · Technique T1480: Execution Guardrails Enterprise uses · Technique T1090.003: Multi-hop Proxy Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
77ec1e8ca80f67a3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 77ec1e8ca80f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Google Cloud BOLDMOVE 2023

    Scott Henderson, Cristiana Kittner, Sarah Hawley & Mark Lechtik, Google Cloud. (2023, January 19). Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475). Retrieved December 31, 2024.

    Open source URL
  2. [2]
    mitre-attack S1184
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use