S1224: CASTLETAP
Analyst context for executives and security teams
CASTLETAP matters because it represents a backdoor on perimeter network devices, specifically reported by ATT&CK as an ICMP port-knocking backdoor installed on compromised FortiGate firewalls. For leaders, the key issue is not just malware on a firewall; it is loss of trust in an edge device that routes, filters, and may observe sensitive traffic while often having weaker endpoint-style monitoring than servers or workstations.
Executive priority
Prioritize this as an edge-device resilience and incident-readiness concern. Security leaders should ask whether firewalls and other network devices are inventoried, patched, centrally logged, configuration-monitored, and included in incident response evidence collection. Because the related behavior includes network sniffing, local data access, shell execution, tool transfer, socket filters, and encrypted command-and-control, a suspected case should be treated as a potential compromise of both device integrity and traffic confidentiality.
Technical view
SOC and IR teams should validate visibility on Network Devices, especially FortiGate firewalls where applicable. ATT&CK provides no official detection text for CASTLETAP, so coverage should be built from the relationship context: unexpected ICMP patterns consistent with activation traffic, unusual socket/filter behavior, shell execution on the device, local file or configuration access, inbound tool transfer, encrypted command-and-control, and evidence of packet capture or network sniffing. Detection should account for the fact that edge devices may not provide full process telemetry, so network telemetry, configuration baselines, device logs, and forensic collection procedures become decisive.
Likely telemetry
- Network device system, security, and administrative logs
- Firewall configuration snapshots and change history
- Perimeter ICMP traffic metadata and packet captures where available
- NetFlow or equivalent network flow records for unusual external communications
- Device CLI or shell command history where retained
Detection direction
- Confirm whether network-device logs are centralized, time-synchronized, and retained long enough to support investigation.
- Baseline normal ICMP use at the perimeter before alerting on ICMP anomalies to reduce false positives from diagnostics and monitoring tools.
- Review firewall configuration and filesystem changes for unexpected files, scripts, packet capture utilities, or persistence-related artifacts.
- Correlate device-side events with network flows, especially unusual encrypted outbound communications from the device itself.
- Hunt for signs aligned to the related techniques: Network Sniffing, Unix Shell, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, Socket Filters, and encrypted command-and-control.
Mitigation priorities
- Maintain a current inventory of exposed network devices and their software/firmware state.
- Prioritize vulnerability and patch management for perimeter firewalls and other edge devices, especially when external reporting links malware activity to zero-day exploitation.
- Restrict and monitor administrative access to firewall management interfaces.
- Use configuration baselines, approved change workflows, and periodic integrity checks for network devices.
- Define IR playbooks for firewall compromise, including evidence preservation, configuration export, traffic review, credential rotation, and trusted rebuild or replacement when required.
Analyst notes and limits
The strongest decision value is the edge-device blind spot: CASTLETAP is described as a backdoor on compromised FortiGate firewalls, and its related techniques point to stealthy activation, command execution, data access, traffic observation, tool staging, and encrypted communications. This should drive validation of firewall telemetry, incident response procedures, and vulnerability management rather than a narrow signature-only approach.
ATT&CK provides no official detection guidance for this software object, no aliases, and no explicit malware tactics on the object itself. The assessment is based only on the official description, the Mandiant external reference, and ATT&CK relationships to UNC3886 and related techniques. Local device models, logging configuration, firmware state, and network architecture are required to determine actual exposure or detection coverage.
CASTLETAP
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.004 | Unix Shell Sub-technique | CASTLETAP has the ability to spawn BusyBox command shell in victim environments.CitationMandiant Fortinet Zero Day |
| Enterprise | T1205.002 | Socket Filters Sub-technique | CASTLETAP can listen for a specialized ICMP packet for activation on compromised network devices.CitationMandiant Fortinet Zero Day |
| Enterprise | T1105 | Ingress Tool Transfer | CASTLETAP can transfer files to compromised network devices.CitationMandiant Fortinet Zero Day |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | CASTLETAP can filter and deobfuscate an XOR encrypted activation string in the payload of an ICMP echo request.CitationMandiant Fortinet Zero Day |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | CASTLETAP can initiate a C2 connection over an SSL socket.CitationMandiant Fortinet Zero Day |
| Enterprise | T1040 | Network Sniffing | CASTLETAP has the ability to create a raw promiscuous socket to sniff network traffic.CitationMandiant Fortinet Zero Day |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | CASTLETAP can receive a 9-byte XOR encrypted activation string in the payload of an ICMP echo request packet.CitationMandiant Fortinet Zero Day |
| Enterprise | T1005 | Data from Local System | CASTLETAP can execute a C2 command to transfer files from victim machines.CitationMandiant Fortinet Zero Day |
Groups, software, and campaigns
G1048: UNC3886
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 59d9010af6f2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Fortinet Zero Day
Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.
Open source URL -
[2]
mitre-attack S1224Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.