S9012: TRAILBLAZE
TRAILBLAZE is an in-memory dropper used to deploy the passive backdoor BRUSHFIRE. First reported in March 2025, TRAILBLAZE has been observed in operations attributed to People's Republic of China (PRC) state-sponsored affiliated actors, including UNC5221 and SYLVANITE. [1][2][3]
Analyst context for executives and security teams
TRAILBLAZE matters because it is described as an in-memory dropper for the BRUSHFIRE passive backdoor on Linux and network-device environments. For leaders, the practical issue is not just a malware name: in-memory deployment, file deletion, native API use, and process discovery can reduce the value of traditional file-only controls and make appliance or network-device investigations harder if logging and memory/forensic readiness are weak.
Executive priority
Prioritize validation around externally exposed or business-critical Linux and network-device platforms, especially where outage risk, remote access, OT connectivity, or compliance evidence depends on knowing whether devices were altered. Ask whether the SOC can collect enough host, appliance, process, and file-change evidence to investigate memory-resident malware and whether incident response plans include preserving volatile evidence before rebooting or reimaging systems.
Technical view
ATT&CK lists TRAILBLAZE as malware for Linux and Network Devices with no standalone detection guidance. Relationship context indicates use of Process Discovery, File Deletion, Native API, and a Process Hollowing relationship whose related platform is Windows, creating an important platform-context limitation. SOC and IR teams should validate visibility for process enumeration, suspicious deletion of temporary or dropped artifacts, low-level OS/API-driven execution behaviors where observable, and handoff indicators that may suggest deployment of BRUSHFIRE. Because the object is an in-memory dropper, response playbooks should account for volatile evidence collection and avoid assuming disk artifacts will remain.
Likely telemetry
- Linux process execution and process enumeration logs where available
- Network-device or appliance administrative, diagnostic, and system logs
- File creation, modification, and deletion events on supported systems
- EDR or host telemetry capable of memory/process behavior observation on Linux where deployed
- Volatile memory, running process, loaded module, and network connection evidence collected during IR
Detection direction
- Do not rely on file hashes or dropped-file detection alone; validate behavioral coverage for in-memory execution and cleanup behaviors.
- Tune for unusual process discovery activity on Linux and network-device contexts, while accounting for legitimate administrative diagnostics that may create false positives.
- Review file deletion events in sensitive paths, temporary locations, and application/plugin directories where local baselines support it.
- Correlate suspicious dropper-like activity with evidence of a passive backdoor deployment path to BRUSHFIRE, without assuming presence unless local telemetry supports it.
- Treat the Process Hollowing relationship carefully: the related technique is Windows-platform focused, while TRAILBLAZE is listed for Linux and Network Devices, so local evidence is needed before applying Windows-centric analytics.
Mitigation priorities
- Inventory Linux and network-device assets that are externally exposed, business critical, or connected to sensitive operational environments.
- Ensure secure configuration, patch, and change-control programs cover network appliances as well as servers.
- Improve logging retention and centralized collection for Linux systems and supported network devices before an incident occurs.
- Prepare IR procedures for volatile evidence preservation, including running process, memory, configuration, and connection-state capture where legally and operationally feasible.
- Use least privilege and controlled administrative access for appliance and Linux management interfaces.
Analyst notes and limits
The strongest decision value is readiness: TRAILBLAZE is characterized as an in-memory dropper that supports deployment of BRUSHFIRE, so defenders should test whether their telemetry and response workflows can see behavior that may not leave durable files. The cited reporting includes PRC state-sponsored affiliated actor attribution, but this take does not infer current exposure or active exploitation in any specific environment.
MITRE provides no official detection text, no aliases, no explicit tactics for the malware object, and only limited relationship context. Platform support is Linux and Network Devices, while one related technique, Process Hollowing, is Windows-focused, so detection engineering must be validated against local telemetry and the cited reports rather than assumed from ATT&CK alone.
TRAILBLAZE
TRAILBLAZE is an in-memory dropper used to deploy the passive backdoor BRUSHFIRE. First reported in March 2025, TRAILBLAZE has been observed in operations attributed to People's Republic of China (PRC) state-sponsored affiliated actors, including UNC5221 and SYLVANITE. [1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | TRAILBLAZE has conducted process discovery by searching for specific named processes such as `/home/bin/web`.CitationGoogle UNC5221 Ivanti April 2025CitationPicus Security UNC5221 Ivanti May 2025 |
| Enterprise | T1070.004 | File Deletion Sub-technique | TRAILBLAZE has the ability to delete temporary files and contents in specified directories to cover its tracks.CitationGoogle UNC5221 Ivanti April 2025CitationPicus Security UNC5221 Ivanti May 2025 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | TRAILBLAZE has injected a hook into an existing process to load BRUSHFIRE in the spaces allocated memory to include the Ivanti Connect Secure (ICS) web process named `web`.CitationGoogle UNC5221 Ivanti April 2025CitationPicus Security UNC5221 Ivanti May 2025 |
| Enterprise | T1106 | Native API | TRAILBLAZE has leveraged raw syscalls to execute commands.CitationGoogle UNC5221 Ivanti April 2025CitationPicus Security UNC5221 Ivanti May 2025 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3b9ece31a6ac… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Dragos SYLVANITE MuddyWater Electrum March 2026
Dragos. (2026, March 24). Dragos 2026 OT Cybersecurity Report: Year in Review, O&G and Petrochemicals Focus. Retrieved April 17, 2026.
Open source URL -
[2]
Google UNC5221 Ivanti April 2025
John Wolfram, Michael Edie, Jacob Thompson, Matt Lin, Josh Murchie. (2025, April 3). Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457). Retrieved April 13, 2026.
Open source URL -
[3]
Picus Security UNC5221 Ivanti May 2025
Sila Ozeren Hacioglu. (2025, May 5). UNC5221’s Latest Exploit: Weaponizing CVE-2025-22457 in Ivanti Connect Secure. Retrieved April 13, 2026.
Open source URL -
[4]
mitre-attack S9012Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.