S9024: SPAWNCHIMERA
SPAWNCHIMERA is a backdoor that supports command and control and can inject malicious components into native processes.[1][2][3] SPAWNCHIMERA It incorporates capabilities from multiple tools within the SPAWN malware family, including SPAWNANT, SPAWNMOLE, and SPAWNSNAIL.[4][2][3] SPAWNCHIMERA was first reported in April 2024.[2] SPAWNCHIMERA has been observed in activity attributed to People's Republic of China (PRC) state-sponsored threat actors, including UNC5221..[4][5][2][6]
Analyst context for executives and security teams
SPAWNCHIMERA matters because it is described as a Linux and network-device backdoor with command-and-control capability, native process injection, persistence, stealth, discovery, and defense-impairment behaviors. For leaders, the practical issue is not just malware removal; it is whether edge and appliance-like systems have enough logging, integrity monitoring, egress control, and incident response procedures to prove whether access persisted or sensitive local data was reached.
Executive priority
Prioritize this as an edge-device and Linux resilience question. External references center on Ivanti Connect Secure reporting, so organizations with similar network-access infrastructure should ask whether vulnerability management, appliance logging, backup/rebuild procedures, and SOC escalation paths are mature enough for compromised network devices. This behavior also supports audit and compliance discussions: can the organization show central logs, change evidence, and investigation records when command history, files, timestamps, or security tools may be modified?
Technical view
ATT&CK provides no official detection text for SPAWNCHIMERA, so defenders should validate coverage from the related behaviors. Focus on Linux and network-device evidence for local data access, boot or logon initialization changes, web shell placement, process and system discovery, Python execution, IPC activity, dynamic linker hijacking, file deletion, timestomping, encoded files, command-history suppression, security-tool tampering, network sniffing, and C2 over non-standard ports or protocol tunnels. Treat the Windows/macOS-specific related techniques as context only unless local evidence shows those platforms are involved.
Likely telemetry
- Centralized network-device and appliance logs, including admin logins, configuration changes, and service restarts
- Linux process execution, parent-child process, command-line, interpreter, and script execution logs where available
- File integrity and metadata monitoring for web roots, boot or logon initialization locations, shared libraries, dynamic linker configuration, and unexpected timestamp changes
- Network flow, firewall, proxy, DNS, and packet-capture metadata for non-standard port use, protocol tunneling, and unusual outbound connections from appliances or Linux hosts
- Evidence of promiscuous-mode use or packet capture activity on Linux/network devices
Detection direction
- Build detections around behavior clusters rather than the malware name alone, since no official ATT&CK detection guidance is provided.
- Correlate persistence signals such as boot scripts, web shell-like files, and dynamic linker changes with unusual process execution or outbound network activity.
- Tune for legitimate administration: maintenance scripts, patching, troubleshooting packet captures, backup jobs, and vendor support activity can resemble parts of these behaviors.
- Look for visibility gaps on network devices; many appliances do not provide endpoint-grade telemetry, so central syslog, configuration backups, network telemetry, and external integrity checks may decide whether coverage exists.
- Investigate combinations of stealth indicators: encoded files plus later decoding, file deletion, timestamp anomalies, command-history suppression, or security-tool modification.
Mitigation priorities
- Inventory and risk-rank Linux systems and network devices, especially internet-facing remote access infrastructure referenced by the external reporting context.
- Keep affected appliances and Linux platforms under disciplined vulnerability and patch management; where patch assurance is weak, prioritize compensating monitoring and segmentation.
- Restrict administrative access, enforce least privilege, and centralize authentication and logging for network devices and Linux hosts.
- Harden persistence surfaces: control writable web directories, boot/logon initialization paths, dynamic linker configuration, and script execution locations.
- Limit and monitor outbound connectivity from appliances and servers; prefer explicit egress rules over broad internet access.
Analyst notes and limits
The ATT&CK object identifies SPAWNCHIMERA as a backdoor first reported in April 2024 and observed in activity attributed to PRC state-sponsored actors including UNC5221. The defensive value is highest when mapped to local edge-device exposure, logging depth, and recovery capability. Several related techniques are broad or include platforms outside the object’s Linux/network-device platform scope, so platform alignment should be confirmed before converting them into detections.
No official ATT&CK detection text, aliases, labels, or malware-level tactics were supplied. This take relies on the provided description, external references, platforms, and uses-relationships only. Local product versions, exposure, logs, and incident evidence are required before concluding compromise, attribution, or detection coverage.
SPAWNCHIMERA
SPAWNCHIMERA is a backdoor that supports command and control and can inject malicious components into native processes.[1][2][3] SPAWNCHIMERA It incorporates capabilities from multiple tools within the SPAWN malware family, including SPAWNANT, SPAWNMOLE, and SPAWNSNAIL.[4][2][3] SPAWNCHIMERA was first reported in April 2024.[2] SPAWNCHIMERA has been observed in activity attributed to People's Republic of China (PRC) state-sponsored threat actors, including UNC5221..[4][5][2][6]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | SPAWNCHIMERA has decoded a XOR encoded private key.CitationJPCERT SPAWNCHIMERA Ivanti February 2025 |
| Enterprise | T1057 | Process Discovery | SPAWNCHIMERA has searched for running processes to include web or dsmdm.CitationCISA SPAWNCHIMERA RESURGE February 2026CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024 |
| Enterprise | T1678 | Delay Execution | SPAWNCHIMERA has used delayed execution to pause for a defined interval before performing environment discovery, repeatedly checking for specific processes, such as the `dslogserver` process, prior to continuing execution. CitationCISA SPAWNCHIMERA RESURGE February 2026 |
| Enterprise | T1505.003 | Web Shell Sub-technique | SPAWNCHIMERA has created web shells that facilitate actions on the victim host.CitationCISA SPAWNCHIMERA RESURGE February 2026 |
| Enterprise | T1574 | Hijack Execution Flow | SPAWNCHIMERA can persist across system upgrades by hijacking the execution flow of dspkginstall, a binary used during the system upgrade process.CitationGoogle UNC5221 Ivanti January 2025CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024 |
| Enterprise | T1037 | Boot or Logon Initialization Scripts | SPAWNCHIMERA has modified the boot process files within `/tmp/coreboot_fs/bin/init` to establish persistence.CitationCISA SPAWNCHIMERA RESURGE February 2026 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | SPAWNCHIMERA has checked where SELinux is enabled on the targeted host.CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024 |
| Enterprise | T1005 | Data from Local System | SPAWNCHIMERA has extracted the device’s Linux kernel image (vmlinux).CitationCISA SPAWNCHIMERA RESURGE February 2026CitationGoogle UNC5221 Ivanti April 2025CitationPicus Security UNC5221 Ivanti May 2025 |
| Enterprise | T1572 | Protocol Tunneling | SPAWNCHIMERA has created SSH tunnels to facilitate C2 communications.CitationCISA SPAWNCHIMERA RESURGE February 2026CitationGoogle UNC5221 Ivanti January 2025CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024 |
| Enterprise | T1059.006 | Python Sub-technique | SPAWNCHIMERA has searched the contents of two Python files scanner.py and scanner_legacy.py by searching for specific lines and replacing them with values that reduce their ability to track mismatches or new files.CitationCISA SPAWNCHIMERA RESURGE February 2026 |
| Enterprise | T1574.006 | Dynamic Linker Hijacking Sub-technique | SPAWNCHIMERA has been compiled as a Position Independent Executable (PIE) to use a third-party library for injection.CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | SPAWNCHIMERA has encoded a private key with XOR.CitationJPCERT SPAWNCHIMERA Ivanti February 2025 SPAWNCHIMERA has also encrypted data to be extracted using AES encryption.CitationGoogle UNC5221 Ivanti April 2025CitationPicus Security UNC5221 Ivanti May 2025 |
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | SPAWNCHIMERA has executed only in memory and hooked itself into existing processes on the victim device to include the web process.CitationCISA SPAWNCHIMERA RESURGE February 2026CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024CitationJPCERT SPAWNCHIMERA Ivanti February 2025 |
| Enterprise | T1559 | Inter-Process Communication | SPAWNCHIMERA has leveraged IPC using a UNIX domain socket between the dsmdm process and the web process.CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024CitationJPCERT SPAWNCHIMERA Ivanti February 2025 |
| Enterprise | T1040 | Network Sniffing | SPAWNCHIMERA has monitored and filtered network traffic on compromised edge devices, allowing legitimate traffic to pass while redirecting attacker-controlled traffic to infrastructure under adversary control. CitationGoogle UNC5221 Ivanti January 2025CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024 |
| Enterprise | T1690 | Prevent Command History Logging | SPAWNCHIMERA has disabled logging and log forwarding on Ivanti devices targeting the `dslogserver` process.CitationCISA SPAWNCHIMERA RESURGE February 2026CitationGoogle UNC5221 Ivanti April 2025CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024CitationPicus Security UNC5221 Ivanti May 2025 |
| Enterprise | T1571 | Non-Standard Port | SPAWNCHIMERA has the ability to bind on a localhost and listen on port 8300.CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024CitationJPCERT SPAWNCHIMERA Ivanti February 2025 |
| Enterprise | T1070.004 | File Deletion Sub-technique | SPAWNCHIMERA has deleted generated files and folders from victim devices.CitationCISA SPAWNCHIMERA RESURGE February 2026 |
| Enterprise | T1685 | Disable or Modify Tools | SPAWNCHIMERA has modified the Ivanti Integrity Checker Tool to evade detection.CitationCISA SPAWNCHIMERA RESURGE February 2026CitationPicus Security UNC5221 Ivanti May 2025 |
| Enterprise | T1553.002 | Code Signing Sub-technique | SPAWNCHIMERA has generated RSA keys against modified files to sign the manifest file, so they appear legitimate.CitationCISA SPAWNCHIMERA RESURGE February 2026CitationGoogle UNC5221 Ivanti January 2025 |
| Enterprise | T1070.006 | Timestomp Sub-technique | SPAWNCHIMERA has updated the timestamp using the `touch` command.CitationCISA SPAWNCHIMERA RESURGE February 2026 |
| Enterprise | T1082 | System Information Discovery | SPAWNCHIMERA has obtained system information such as release, uptime, and current time.CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024 |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | SPAWNCHIMERA has fixed a buffer overflow vulnerability (CVE-2025-0282) by hooking the strncpy function and limiting the size to 256 to prevent other actors from leveraging the exploit.CitationJPCERT SPAWNCHIMERA Ivanti February 2025 SPAWNCHIMERA has converted its process name to hexadecimal and verifies an added value which is triggered when the first byte of the source copied to the fixed strncpy function matches `0x04050203`.CitationJPCERT SPAWNCHIMERA Ivanti February 2025 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fef3481c71c3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA SPAWNCHIMERA RESURGE February 2026
DHS/CISA. (2026, February 26). MAR-25993211-r1.v2 Ivanti Connect Secure (RESURGE): AR25-087A. Retrieved April 17, 2026.
Open source URL -
[2]
Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024
Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Crew, Billy Wong, Tyler McLellan. (2024, April 4). Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies. Retrieved April 16, 2026.
Open source URL -
[3]
JPCERT SPAWNCHIMERA Ivanti February 2025
Yuma Masubuchi. (2025, February 20). SPAWNCHIMERA Malware: The Chimera Spawning from Ivanti Connect Secure Vulnerability. Retrieved April 17, 2026.
Open source URL -
[4]
Google UNC5221 Ivanti January 2025
John Wolfram, Josh Murchie, Matt Lin, Daniel Ainsworth, Robert Wallace, Dimiter Andonov, Dhanesh Kizhakkinan, Jacob Thompson. (2025, January 8). Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation. Retrieved April 14, 2026.
Open source URL -
[5]
Google UNC5221 Ivanti April 2025
John Wolfram, Michael Edie, Jacob Thompson, Matt Lin, Josh Murchie. (2025, April 3). Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457). Retrieved April 13, 2026.
Open source URL -
[6]
Picus Security UNC5221 Ivanti May 2025
Sila Ozeren Hacioglu. (2025, May 5). UNC5221’s Latest Exploit: Weaponizing CVE-2025-22457 in Ivanti Connect Secure. Retrieved April 13, 2026.
Open source URL -
[7]
mitre-attack S9024Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.