BRUSHFIRE

MITRE

Malware Type:
Other

First seen:
Unknown

Last seen:
Unknown

Details:

[BRUSHFIRE](https://attack.mitre.org/software/S9011) is a passive backdoor written in C that executes in-memory within an existing process. First reported in March 2025, [BRUSHFIRE](https://attack.mitre.org/software/S9011) has been observed in activity attributed to People's Republic of China (PRC) state-affiliated threat actors, including UNC5221 and SYLVANITE.(Citation: Dragos SYLVANITE MuddyWater Electrum March 2026)(Citation: Google UNC5221 Ivanti April 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)

Associated Techniques (4)

ID	ATT&CK	Tactics
T1048.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	-
T1140	Deobfuscate/Decode Files or Information	-
T1205	Traffic Signaling	-
T1620	Reflective Code Loading	-

Metadata

ID:	164707
Created:	28/04/2026 16:00
Updated:	10/05/2026 04:00