DRYHOOK
MITRE
Malware Type:
Other
Other
First seen:
Unknown
Unknown
Last seen:
Unknown
Unknown
Details:
[DRYHOOK](https://attack.mitre.org/software/S9013) is Python script used to steal credentials. [DRYHOOK](https://attack.mitre.org/software/S9013) was first reported in January 2025, and has previously been leveraged by People's Republic of China (PRC) state-affiliated threat actors identified as UNC5221 and SYLVANITE.(Citation: Dragos SYLVANITE MuddyWater Electrum March 2026)(Citation: Google UNC5221 Ivanti January 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)
Associated Techniques (11)
| ID | ATT&CK | Tactics |
|---|---|---|
| T1027.013 | Encrypted/Encoded File | - |
| T1056.001 | Keylogging | - |
| T1059.006 | Python | - |
| T1059.008 | Network Device CLI | - |
| T1074.001 | Local Data Staging | - |
| T1222.002 | Linux and Mac Permissions | - |
| T1489 | Service Stop | - |
| T1556 | Modify Authentication Process | - |
| T1556.004 | Network Device Authentication | - |
| T1601 | Modify System Image | - |
| T1685 | Disable or Modify Tools | - |
Metadata
| ID: | 164736 |
| Created: | 28/04/2026 16:00 |
| Updated: | 10/05/2026 04:00 |