Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S9014: PHASEJAM

PHASEJAM is a dropper written as a bash shell script that modifies Ivanti Connect Secure appliance components. PHASEJAM was first reported in January 2025. PHASEJAM has previously been leveraged by People's Republic of China (PRC)- affiliated actors identified as UNC5221 and SYLVANITE.[1][2]

EnterpriseS9014MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

PHASEJAM matters because it is described by ATT&CK as a bash-script dropper that modifies Ivanti Connect Secure appliance components. That places it in a high-value edge-device context where normal endpoint tooling may be limited and where compromised VPN or access appliances can affect remote access, identity-adjacent trust paths, incident containment, and business continuity.

Executive priority

Treat this as an edge-appliance resilience and visibility issue, not just a malware issue. Leaders should ask whether Ivanti Connect Secure appliances are inventoried, monitored, backed up, and included in incident response playbooks; whether appliance integrity can be validated after suspicious activity; and whether logs from network devices are retained well enough to support audit, breach assessment, and recovery decisions. The ATT&CK relationships also point to persistence, defense impairment, exfiltration, service disruption, and data manipulation behaviors, which makes control validation and recovery planning important.

Technical view

ATT&CK provides no official detection text for PHASEJAM, so SOC and IR validation should be behavior-led. Focus on Linux and network-device evidence around shell-script execution, appliance component modification, renamed utilities, encoded or obfuscated files and commands, file transfers to the appliance, web shell indicators, service stoppage, shell configuration changes, host software binary changes, delayed execution, and security-tool or UI tampering. Because the object specifically references Ivanti Connect Secure appliance components, responders should prioritize appliance integrity checks, configuration review, web-accessible file review, and comparison against known-good versions where available.

Likely telemetry

  • Ivanti Connect Secure appliance system, admin, web, authentication, and upgrade/change logs
  • Network device CLI and command history where available
  • Linux shell execution, script execution, and process creation evidence from the appliance or supporting logs
  • File integrity or configuration change records for appliance components, web directories, shell configuration files, and host binaries
  • Network transfer metadata showing inbound tool or file movement and outbound communications over existing channels

Detection direction

  • Do not rely on a single signature: ATT&CK reports obfuscation, encoded files, deobfuscation, renamed utilities, delayed execution, and UI/tool tampering relationships.
  • Validate whether edge-appliance logs are actually collected centrally before an incident; local-only logs may be unavailable or altered during response.
  • Tune for suspicious modification of appliance components, unexpected web-accessible scripts, unusual shell or CLI activity, unexpected service stops, and file transfers to or from the appliance.
  • Correlate behavior across techniques: ingress transfer followed by decoding, component modification, web shell placement, service stop, and impaired monitoring is more meaningful than any one event alone.
  • Account for false positives from legitimate upgrades, vendor support actions, administrator troubleshooting, and maintenance scripts by baselining approved change windows and known administrative paths.

Mitigation priorities

  • Prioritize complete inventory and ownership of Ivanti Connect Secure appliances and other Linux/network-device edge systems.
  • Ensure vendor-supported patching, upgrade, backup, and restore processes are documented and tested for these appliances.
  • Centralize and retain appliance logs, administrative activity, network metadata, and monitoring health signals outside the appliance itself.
  • Implement change control and integrity validation for appliance components, web content, shell configuration, and key binaries where supported.
  • Restrict and monitor administrative access to appliance CLI and management interfaces; review privileged access paths after any suspicious activity.
Analyst notes and limits

The supplied ATT&CK object identifies PHASEJAM as a bash dropper affecting Ivanti Connect Secure appliance components and notes previous use by PRC-affiliated actors identified as UNC5221 and SYLVANITE. The relationship set gives useful behavioral context spanning stealth, execution, command-and-control, persistence, exfiltration, impact, and defense impairment, even though the object itself has no tactics listed and no official detection guidance.

This take is limited to the provided ATT&CK fields, external references, and relationships. It does not establish current exploitation, customer exposure, confirmed impact, or guaranteed detection. Local appliance versions, logging configuration, network architecture, vendor guidance, and forensic evidence are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

PHASEJAM

PHASEJAM is a dropper written as a bash shell script that modifies Ivanti Connect Secure appliance components. PHASEJAM was first reported in January 2025. PHASEJAM has previously been leveraged by People's Republic of China (PRC)- affiliated actors identified as UNC5221 and SYLVANITE.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

15 rows
Domain ID Name Relationship / procedure
Enterprise T1554 Compromise Host Software Binary

PHASEJAM has modified legitimate components to enable persistence and execution, including inserting a web shell into `getComponent.cgi` and `restAuth.cgi`, modifying `DSUpgrade.pm` to block system upgrades, and overwriting `remotedebug` to execute arbitrary commands when specific parameters are provided.[2]
Enterprise T1489 Service Stop

PHASEJAM has disabled the `cgi-server` process on Ivanti Connect Secure appliances.[2]
Enterprise T1140 Deobfuscate/Decode Files or Information

PHASEJAM has the ability to decode Base64 commands and data.[2]
Enterprise T1036.003 Rename Legitimate Utilities Sub-technique

PHASEJAM has renamed the file `/home/bin/remotedebug` to `remotedebug.bak`, allowing the threats actors to write a malicious `/home/bin/remotedebug` shell script.[2]
Enterprise T1027.010 Command Obfuscation Sub-technique

PHASEJAM has encoded commands with Base64.[2]
Enterprise T1678 Delay Execution

PHASEJAM has used the `sleep` command within its code to generate a fake HTML upgrade progress bar that mimics a running process.[2]
Enterprise T1565 Data Manipulation

PHASEJAM has blocked legitimate upgrades of Ivanti Connect Secure systems and falsely indicates a successful upgrade while operating on an older version.[2]
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

PHASEJAM has launched a webshell using the `MIME::Base64` module that encoded and decoded Base64 commands.[2]
Enterprise T1105 Ingress Tool Transfer

PHASEJAM has the ability to upload files onto the compromised appliance.[2]
Enterprise T1505.003 Web Shell Sub-technique

PHASEJAM has inserted Perl-based web shells into legitimate files that provided threat actors with remote access and code execution capabilities on the compromised network appliance.[2]
Enterprise T1685.003 Modify or Spoof Tool UI Sub-technique

PHASEJAM has prevented legitimate Ivanti Connect Secure system upgrades by intercepting the upgrade command and rendering fake HTML upgrade progress bar through a function called `processUpgradeDisplay()` which allowed the compromised device to remain under the control of the adversary.[2]
Enterprise T1685 Disable or Modify Tools

PHASEJAM has modified Ivanti Connect Secure appliances and blocks the system upgrades by altering the DSUpgrade.pm file.[2]
Enterprise T1546.004 Unix Shell Configuration Modification Sub-technique

PHASEJAM has used a bash script to modify components on Ivanti Connect Secure appliances and execute files via `/bin/bash`.[1] It has also used the Linux stream editor (`sed`) to execute commands.[2]
Enterprise T1059.008 Network Device CLI Sub-technique

PHASEJAM has leveraged native commands associated with the compromised network appliance to execute code.[2]
Enterprise T1041 Exfiltration Over C2 Channel

PHASEJAM has the ability to exfiltrate data from the victim appliance.[2]
Relationship explorer

All related ATT&CK context

uses · Technique T1554: Compromise Host Software Binary Enterprise uses · Technique T1489: Service Stop Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1036.003: Rename Legitimate Utilities Enterprise uses · Technique T1027.010: Command Obfuscation Enterprise uses · Technique T1678: Delay Execution Enterprise uses · Technique T1565: Data Manipulation Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1505.003: Web Shell Enterprise uses · Technique T1685.003: Modify or Spoof Tool UI Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise uses · Technique T1546.004: Unix Shell Configuration Modification Enterprise uses · Technique T1059.008: Network Device CLI Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4057a8620b5bb421...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4057a8620b5b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Dragos SYLVANITE MuddyWater Electrum March 2026

    Dragos. (2026, March 24). Dragos 2026 OT Cybersecurity Report: Year in Review, O&G and Petrochemicals Focus. Retrieved April 17, 2026.

    Open source URL
  2. [2]
    Google UNC5221 Ivanti January 2025

    John Wolfram, Josh Murchie, Matt Lin, Daniel Ainsworth, Robert Wallace, Dimiter Andonov, Dhanesh Kizhakkinan, Jacob Thompson. (2025, January 8). Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation. Retrieved April 14, 2026.

    Open source URL
  3. [3]
    mitre-attack S9014
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use