S9013: DRYHOOK
Analyst context for executives and security teams
DRYHOOK matters because ATT&CK describes it as a Python credential-stealing script on Linux and network-device platforms. For leaders, the practical risk is not just malware execution; it is the possibility that credentials, authentication paths, and security visibility on infrastructure devices could be weakened before defenders have complete endpoint-style telemetry.
Executive priority
Treat this as a control-validation prompt for internet-facing Linux and network-device environments, especially VPN or appliance workflows referenced by the supplied sources. Executives should ask whether security teams can prove they collect administrative CLI activity, authentication changes, service/tool tampering, local staging evidence, and image/configuration integrity signals from network devices—not only from traditional endpoints.
Technical view
ATT&CK provides no official detection text for DRYHOOK, so SOC and IR teams should validate coverage through the related behaviors: Python execution, network-device CLI execution, keylogging-oriented credential collection, local data staging, Linux permission changes, authentication-process modification, network-device authentication changes, system-image modification, service stopping, security-tool tampering, and encoded/encrypted file artifacts. The highest-value validation is whether Linux and network-device logs can show suspicious interpreter use, unexpected administrative commands, authentication component changes, and loss or degradation of monitoring services.
Likely telemetry
- Linux process execution and command-line telemetry for Python scripts
- Network device administrative CLI logs and command history where available
- Authentication logs for Linux systems, identity-facing appliances, and network devices
- File integrity or configuration monitoring for authentication components, permissions, and sensitive directories
- Network device firmware, system image, and configuration integrity evidence
Detection direction
- Do not rely on a DRYHOOK-specific signature; ATT&CK does not provide detection guidance for this object.
- Baseline legitimate Python usage on Linux systems and investigate Python execution in unusual paths, by unexpected users, or near authentication data handling.
- Correlate network-device CLI activity with admin identity, change windows, and configuration/image changes; many organizations lack durable appliance command telemetry.
- Tune for combinations of behaviors: credential-access indicators plus local staging, permission changes, authentication-process modification, or service/security-tool disruption.
- Treat service stops and monitoring-agent failures as investigation pivots, not standalone proof of DRYHOOK, because administrative maintenance can create false positives.
Mitigation priorities
- Prioritize hardening and timely remediation for externally exposed Linux and network-device appliances covered by vulnerability-management programs.
- Restrict and monitor administrative access to network devices and Linux hosts, including strong authentication, least privilege, and change-control evidence.
- Reduce unnecessary Python/script execution paths on sensitive systems and monitor approved interpreter use.
- Maintain integrity baselines and recoverable known-good images/configurations for network devices and authentication components.
- Protect logging and security tooling from tampering; alert on service stoppage, agent degradation, or configuration changes that reduce visibility.
Analyst notes and limits
The supplied ATT&CK relationships make DRYHOOK more material than a generic script because they connect credential theft with execution, staging, defense impairment, authentication modification, and network-device system-image risk. The official description also states prior use by PRC state-affiliated actors identified as UNC5221 and SYLVANITE, but this take does not infer current activity or customer exposure.
ATT&CK provides no official detection text, no aliases, and no malware-specific tactics for this object. Coverage decisions require local evidence about Linux logging depth, network-device telemetry, appliance exposure, administrative workflows, and whether configuration/image integrity is monitored.
DRYHOOK
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1222.002 | Linux and Mac Permissions Sub-technique | DRYHOOK has the ability to remount the filesystem as “read-write” to make changes and then restores it to “read-only” prior to killing processes to apply the modifications.CitationGoogle UNC5221 Ivanti January 2025CitationPicus Security UNC5221 Ivanti May 2025 |
| Enterprise | T1056.001 | Keylogging Sub-technique | DRYHOOK has captured user credentials and passwords in plaintext and has encrypted them in a stored file on the network device.CitationGoogle UNC5221 Ivanti January 2025CitationPicus Security UNC5221 Ivanti May 2025 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | DRYHOOK has stored stolen credentials for future use in the temp folder of a victimized Ivanti Connect Secure VPN device, specifically in the file location `/tmp/cmmmap.kumMW`.CitationGoogle UNC5221 Ivanti January 2025CitationPicus Security UNC5221 Ivanti May 2025 |
| Enterprise | T1059.008 | Network Device CLI Sub-technique | DRYHOOK has the ability to interact with Ivanti Connect Secure environments and to modify system components.CitationGoogle UNC5221 Ivanti January 2025CitationPicus Security UNC5221 Ivanti May 2025 |
| Enterprise | T1601 | Modify System Image | DRYHOOK has modified the Ivanti Connect Secure VPN authentication Perl module `DSAuth.pm` by reading its contents in the buffer, then finding and replacing select lines of code.CitationGoogle UNC5221 Ivanti January 2025CitationPicus Security UNC5221 Ivanti May 2025 |
| Enterprise | T1685 | Disable or Modify Tools | DRYHOOK has killed all instances of the `cgi-server` process in order for the modified Perl module to be activated.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | DRYHOOK has encrypted stolen credentials strings within a file using both Base64 and RC4 with a hard-coded key.CitationGoogle UNC5221 Ivanti January 2025CitationPicus Security UNC5221 Ivanti May 2025 |
| Enterprise | T1556 | Modify Authentication Process | DRYHOOK has intercepted and logged user credentials by modifying the Perl module in Ivanti Connect Secure VPN edge-devices located within `/home/perl/DSAuth.pm`.CitationGoogle UNC5221 Ivanti January 2025CitationPicus Security UNC5221 Ivanti May 2025 |
| Enterprise | T1059.006 | Python Sub-technique | DRYHOOK is a Python-based script that executes within the victim environment.CitationGoogle UNC5221 Ivanti January 2025CitationPicus Security UNC5221 Ivanti May 2025 |
| Enterprise | T1489 | Service Stop | DRYHOOK has terminated all instances of the `cgi-server` process before activating the modified DSAuth.pm file.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1556.004 | Network Device Authentication Sub-technique | DRYHOOK has patched victim appliances authentication routines to capture credentials in plaintext as users log in.CitationGoogle UNC5221 Ivanti January 2025 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9d167e8a352c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Dragos SYLVANITE MuddyWater Electrum March 2026
Dragos. (2026, March 24). Dragos 2026 OT Cybersecurity Report: Year in Review, O&G and Petrochemicals Focus. Retrieved April 17, 2026.
Open source URL -
[2]
Google UNC5221 Ivanti January 2025
John Wolfram, Josh Murchie, Matt Lin, Daniel Ainsworth, Robert Wallace, Dimiter Andonov, Dhanesh Kizhakkinan, Jacob Thompson. (2025, January 8). Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation. Retrieved April 14, 2026.
Open source URL -
[3]
Picus Security UNC5221 Ivanti May 2025
Sila Ozeren Hacioglu. (2025, May 5). UNC5221’s Latest Exploit: Weaponizing CVE-2025-22457 in Ivanti Connect Secure. Retrieved April 13, 2026.
Open source URL -
[4]
mitre-attack S9013Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.