Unc5221

Threat Actor updated a year ago (2024-11-29T13:38:03.086Z)

Download STIX

Preview STIX

UNC5221, a threat actor linked to China, has been identified as the group behind recent cyberattacks involving new malware specifically designed to exploit vulnerabilities in Ivanti Connect Secure VPN and Policy Secure devices. The discovery was made by Mandiant researchers who observed the deployment of a new web shell, tracked as ROOTROT, during their investigation of an Ivanti Connect Secure appliance compromised by UNC5221. The threat actor accessed the vCenter appliance using SSH and downloaded the BRICKSTORM backdoor, creating a stealthy and persistent backdoor on the infected device. In January 2024, the MITRE Corporation reported a breach of its systems, attributing the attack to UNC5221. The attack involved the chaining of two zero-day vulnerabilities in Ivanti's Connect Secure software. Indicators of compromise observed during this security breach overlapped with those associated with UNC5221, further solidifying the link between this threat actor and the attacks. Despite initial mitigation efforts, these actions were deemed insufficient in retrospect. The activities of UNC5221 represent a significant cybersecurity concern due to their advanced persistent threat (APT) nature, sophisticated techniques, and the group's apparent focus on exploiting specific network security products. In one instance, the deployment of ROOTROT led to UNC5221 initiating network reconnaissance and lateral movement to a VMware vCenter server. Furthermore, during an analysis of a compromise by UNC5221, Mandiant identified four distinct components of the custom malware toolset SPAWN being used in concert to establish a robust backdoor on an infected appliance.

Description last updated: 2024-05-25T12:15:26.029Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Uta0178 is a possible alias for Unc5221. UTA0178, also known as UNC5221, is a China-based threat actor suspected of conducting cyberespionage activities. This group has been active in exploiting vulnerabilities on a global scale, with numerous instances of interaction with compromised devices tied to the Cyberoam proxy network. The IP addr	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Malware

Zero Day

Backdoor

Apt

Ivanti

Vulnerability

Vpn

Mandiant

Lateral Move...

Google

Web Shell

State Sponso...

Github

Dropper

Mitre

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Silk Typhoon Threat Actor is associated with Unc5221. Silk Typhoon, also known as Hafnium, is a state-sponsored threat actor originating from China. The group first came to prominence in March 2021 when it was linked to the exploitation of Microsoft Exchange Server vulnerabilities. This group has been particularly noted for its use of Exchange PowerShe	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The vulnerability CVE-2025-22457 is associated with Unc5221.	Unspecified	2
The CVE-2024-21887 Vulnerability is associated with Unc5221. CVE-2024-21887 is a command injection vulnerability found in the web components of Ivanti Connect Secure and Ivanti Policy Secure, specifically in versions 9.x and 22.x. The Cyber Centre was made aware of this flaw, along with an authentication bypass vulnerability (CVE-2023-46805), on January 10, 2	Unspecified	2

Source Document References

Information about the Unc5221 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	21 days ago	China-linked hackers exploit patched ToolShell flaw to breach Middle East telecom
Securityaffairs	25 days ago	F5 breach exposes 262,000 BIG-IP systems worldwide
Flashpoint	a month ago	Critical Vulnerability Exposure: Why the Stolen F5 Data Poses an Imminent Threat
Securityaffairs	2 months ago	Google warns of Brickstorm backdoor targeting U.S. legal and tech sectors
InfoSecurity-magazine	2 months ago	Chinese Hackers Use ‘BRICKSTORM’ Backdoor to Breach US Firms
InfoSecurity-magazine	3 months ago	State-Sponsored Hackers Behind Majority of Vulnerability Exploits
Recorded Future	3 months ago	H1 2025 Malware and Vulnerability Trends
Securityaffairs	5 months ago	Security Affairs newsletter Round 526 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	China-linked APT UNC5221 started exploiting Ivanti EPMM flaws shortly after their disclosure
InfoSecurity-magazine	6 months ago	SAP Flaw Exploited by Ransomware Groups and Chinese-Backed Hackers
InfoSecurity-magazine	7 months ago	Chinese Hackers Exploit Backdoor to Spy on European Businesses
Securityaffairs	7 months ago	U.S. CISA adds Ivanti Connect Secure, Policy Secure and ZTA Gateways flaw to its Known Exploited Vulnerabilities catalog
Checkpoint	7 months ago	7th April – Threat Intelligence Report - Check Point Research
InfoSecurity-magazine	7 months ago	Chinese State Hackers Exploiting Newly Disclosed Ivanti Flaw
Securityaffairs	7 months ago	China-linked group UNC5221 exploited Ivanti Connect Secure zero-day since mid-March
Checkpoint	9 months ago	13th January – Threat Intelligence Report - Check Point Research
CERT-EU	2 years ago	Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families
CERT-EU	2 years ago	พบช่องโหว่ Zero-Day ใน Ivanti Connect Secure ถูกใช้เพื่อติดตั้ง Malware
Securityaffairs	a year ago	MITRE December 2023 attack: threat actors created rogue VMs to evade detection
Securityaffairs	2 years ago	Security Affairs newsletter Round 471 by Pierluigi Paganini – INTERNATIONAL EDITION