S1206: JumbledPath
JumbledPath is a custom-built utility written in GO that has been used by Salt Typhoon since at least 2024 for packet capture on remote Cisco devices. JumbledPath is compiled as an ELF binary using x86-64 architecture which makes it potentially useable across Linux operating systems and network devices from multiple vendors.[1]
Analyst context for executives and security teams
JumbledPath matters because ATT&CK describes it as a custom Go ELF utility used for packet capture on remote Cisco network devices, with potential usability across Linux-based network devices. For leaders, the practical risk is loss of visibility and confidentiality at the network infrastructure layer: if a router or similar device is used to capture traffic, attackers may observe credentials, operational data, or sensitive communications before endpoint controls ever see the activity.
Executive priority
Prioritize this as a network infrastructure visibility and resilience issue, not just a malware issue. Security leaders should ask whether critical network devices are inventoried, centrally logged, access-controlled, monitored for unauthorized packet capture or binary execution, and included in incident response playbooks. This is especially relevant for telecom, ISP, and high-dependency network environments because the related ATT&CK group context describes compromises of network infrastructure at major U.S. telecommunication and ISP organizations.
Technical view
ATT&CK provides no official detection for JumbledPath, so teams should validate coverage around the related behaviors: Network Sniffing, Multi-Stage Channels, Archive Collected Data, Hide Infrastructure, Disable or Modify Tools, and Clear Linux or Mac System Logs. For SOC and IR teams, the key validation is whether remote network devices and Linux-based management planes produce enough telemetry to identify unexpected ELF x86-64 binaries, packet capture activity, suspicious outbound command-and-control patterns, archive creation of collected data, security/logging tool impairment, and clearing or gaps in /var/log-style system logs.
Likely telemetry
- Network device authentication, authorization, configuration, and command logs
- Centralized syslog from routers, switches, and Linux-based network appliances
- File creation, transfer, permission, and execution records for ELF binaries where available
- Process execution telemetry on Linux or network-device management shells where available
- Indicators of packet capture or promiscuous-mode behavior, SPAN/session configuration changes, or unexpected capture files
Detection direction
- Do not depend on endpoint EDR alone; the stated platform is Network Devices, where host telemetry may be limited or absent.
- Baseline expected administrative access, file transfers, binaries, and packet-capture operations on network devices, then alert on deviations.
- Correlate suspicious packet capture behavior with outbound network connections, archive creation, and log gaps to reduce false positives from legitimate troubleshooting.
- Validate whether centralized logging preserves evidence if local Linux or device logs are cleared or modified.
- Tune detections for authorized network engineering activity, because packet capture and archive creation can be legitimate during maintenance or incident response.
Mitigation priorities
- Maintain an authoritative inventory of critical network devices and confirm which can execute Linux ELF binaries or support shell access.
- Restrict and audit administrative access to network devices, including remote access paths and privileged operations.
- Centralize and protect device logs so local log clearing does not remove investigative evidence.
- Limit, document, and monitor packet capture capability on production network infrastructure.
- Monitor and control outbound communications from network devices to reduce opportunities for staged or hidden command-and-control.
Analyst notes and limits
The most useful defensive framing comes from the relationships: JumbledPath is linked to packet capture, staged command-and-control, data archiving, infrastructure hiding, tool impairment, and Linux/Mac log clearing. These relationships make it important to test end-to-end visibility across infrastructure devices, not just malware signature matching.
ATT&CK does not provide official detection logic, hashes, command lines, tactics for the software object, or complete operational details in the supplied fields. Local device models, logging capabilities, administrative practices, and network architecture will determine what can be detected or proven.
JumbledPath
JumbledPath is a custom-built utility written in GO that has been used by Salt Typhoon since at least 2024 for packet capture on remote Cisco devices. JumbledPath is compiled as an ELF binary using x86-64 architecture which makes it potentially useable across Linux operating systems and network devices from multiple vendors.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1040 | Network Sniffing | JumbledPath has the ability to perform packet capture on remote devices via actor-defined jump-hosts.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1685 | Disable or Modify Tools | JumbledPath can impair logging on all devices used along its connection path to compromised hosts.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1104 | Multi-Stage Channels | JumbledPath can communicate over a unique series of connections to send and retrieve data from exploited devices.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1665 | Hide Infrastructure | JumbledPath can use a chain of jump hosts to communicate with compromised devices to obscure actor infrastructure.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1560 | Archive Collected Data | JumbledPath can compress and encrypt exfiltrated packet captures from targeted devices.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1685.006 | Clear Linux or Mac System Logs Sub-technique | JumbledPath can clear logs on all devices used along its connection path to compromised network infrastructure.CitationCisco Salt Typhoon FEB 2025 |
Groups, software, and campaigns
G1045: Salt Typhoon
Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e55a663140e4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cisco Salt Typhoon FEB 2025
Cisco Talos. (2025, February 20). Weathering the storm: In the midst of a Typhoon. Retrieved February 24, 2025.
Open source URL -
[2]
mitre-attack S1206Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.