S9014: PHASEJAM
Analyst context for executives and security teams
PHASEJAM matters because it is described by ATT&CK as a bash-script dropper that modifies Ivanti Connect Secure appliance components. That places it in a high-value edge-device context where normal endpoint tooling may be limited and where compromised VPN or access appliances can affect remote access, identity-adjacent trust paths, incident containment, and business continuity.
Executive priority
Treat this as an edge-appliance resilience and visibility issue, not just a malware issue. Leaders should ask whether Ivanti Connect Secure appliances are inventoried, monitored, backed up, and included in incident response playbooks; whether appliance integrity can be validated after suspicious activity; and whether logs from network devices are retained well enough to support audit, breach assessment, and recovery decisions. The ATT&CK relationships also point to persistence, defense impairment, exfiltration, service disruption, and data manipulation behaviors, which makes control validation and recovery planning important.
Technical view
ATT&CK provides no official detection text for PHASEJAM, so SOC and IR validation should be behavior-led. Focus on Linux and network-device evidence around shell-script execution, appliance component modification, renamed utilities, encoded or obfuscated files and commands, file transfers to the appliance, web shell indicators, service stoppage, shell configuration changes, host software binary changes, delayed execution, and security-tool or UI tampering. Because the object specifically references Ivanti Connect Secure appliance components, responders should prioritize appliance integrity checks, configuration review, web-accessible file review, and comparison against known-good versions where available.
Likely telemetry
- Ivanti Connect Secure appliance system, admin, web, authentication, and upgrade/change logs
- Network device CLI and command history where available
- Linux shell execution, script execution, and process creation evidence from the appliance or supporting logs
- File integrity or configuration change records for appliance components, web directories, shell configuration files, and host binaries
- Network transfer metadata showing inbound tool or file movement and outbound communications over existing channels
Detection direction
- Do not rely on a single signature: ATT&CK reports obfuscation, encoded files, deobfuscation, renamed utilities, delayed execution, and UI/tool tampering relationships.
- Validate whether edge-appliance logs are actually collected centrally before an incident; local-only logs may be unavailable or altered during response.
- Tune for suspicious modification of appliance components, unexpected web-accessible scripts, unusual shell or CLI activity, unexpected service stops, and file transfers to or from the appliance.
- Correlate behavior across techniques: ingress transfer followed by decoding, component modification, web shell placement, service stop, and impaired monitoring is more meaningful than any one event alone.
- Account for false positives from legitimate upgrades, vendor support actions, administrator troubleshooting, and maintenance scripts by baselining approved change windows and known administrative paths.
Mitigation priorities
- Prioritize complete inventory and ownership of Ivanti Connect Secure appliances and other Linux/network-device edge systems.
- Ensure vendor-supported patching, upgrade, backup, and restore processes are documented and tested for these appliances.
- Centralize and retain appliance logs, administrative activity, network metadata, and monitoring health signals outside the appliance itself.
- Implement change control and integrity validation for appliance components, web content, shell configuration, and key binaries where supported.
- Restrict and monitor administrative access to appliance CLI and management interfaces; review privileged access paths after any suspicious activity.
Analyst notes and limits
The supplied ATT&CK object identifies PHASEJAM as a bash dropper affecting Ivanti Connect Secure appliance components and notes previous use by PRC-affiliated actors identified as UNC5221 and SYLVANITE. The relationship set gives useful behavioral context spanning stealth, execution, command-and-control, persistence, exfiltration, impact, and defense impairment, even though the object itself has no tactics listed and no official detection guidance.
This take is limited to the provided ATT&CK fields, external references, and relationships. It does not establish current exploitation, customer exposure, confirmed impact, or guaranteed detection. Local appliance versions, logging configuration, network architecture, vendor guidance, and forensic evidence are required to determine actual risk and coverage.
PHASEJAM
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1554 | Compromise Host Software Binary | PHASEJAM has modified legitimate components to enable persistence and execution, including inserting a web shell into `getComponent.cgi` and `restAuth.cgi`, modifying `DSUpgrade.pm` to block system upgrades, and overwriting `remotedebug` to execute arbitrary commands when specific parameters are provided.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1489 | Service Stop | PHASEJAM has disabled the `cgi-server` process on Ivanti Connect Secure appliances.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | PHASEJAM has the ability to decode Base64 commands and data.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1036.003 | Rename Legitimate Utilities Sub-technique | PHASEJAM has renamed the file `/home/bin/remotedebug` to `remotedebug.bak`, allowing the threats actors to write a malicious `/home/bin/remotedebug` shell script.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | PHASEJAM has encoded commands with Base64.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1678 | Delay Execution | PHASEJAM has used the `sleep` command within its code to generate a fake HTML upgrade progress bar that mimics a running process.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1565 | Data Manipulation | PHASEJAM has blocked legitimate upgrades of Ivanti Connect Secure systems and falsely indicates a successful upgrade while operating on an older version.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | PHASEJAM has launched a webshell using the `MIME::Base64` module that encoded and decoded Base64 commands.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1105 | Ingress Tool Transfer | PHASEJAM has the ability to upload files onto the compromised appliance.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1505.003 | Web Shell Sub-technique | PHASEJAM has inserted Perl-based web shells into legitimate files that provided threat actors with remote access and code execution capabilities on the compromised network appliance.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1685.003 | Modify or Spoof Tool UI Sub-technique | PHASEJAM has prevented legitimate Ivanti Connect Secure system upgrades by intercepting the upgrade command and rendering fake HTML upgrade progress bar through a function called `processUpgradeDisplay()` which allowed the compromised device to remain under the control of the adversary.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1685 | Disable or Modify Tools | PHASEJAM has modified Ivanti Connect Secure appliances and blocks the system upgrades by altering the DSUpgrade.pm file.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1546.004 | Unix Shell Configuration Modification Sub-technique | PHASEJAM has used a bash script to modify components on Ivanti Connect Secure appliances and execute files via `/bin/bash`.[1] It has also used the Linux stream editor (`sed`) to execute commands.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1059.008 | Network Device CLI Sub-technique | PHASEJAM has leveraged native commands associated with the compromised network appliance to execute code.CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | PHASEJAM has the ability to exfiltrate data from the victim appliance.CitationGoogle UNC5221 Ivanti January 2025 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4057a8620b5b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Dragos SYLVANITE MuddyWater Electrum March 2026
Dragos. (2026, March 24). Dragos 2026 OT Cybersecurity Report: Year in Review, O&G and Petrochemicals Focus. Retrieved April 17, 2026.
Open source URL -
[2]
Google UNC5221 Ivanti January 2025
John Wolfram, Josh Murchie, Matt Lin, Daniel Ainsworth, Robert Wallace, Dimiter Andonov, Dhanesh Kizhakkinan, Jacob Thompson. (2025, January 8). Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation. Retrieved April 14, 2026.
Open source URL -
[3]
mitre-attack S9014Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.