UTA0178
MISP
Type:
Unknown
Unknown
Country:
CN
CN
First seen:
Unknown
Unknown
Details:
While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. Once UTA0178 had access into the network via the ICS VPN appliance, their general approach was to pivot from system to system using compromised credentials. They would then further compromise credentials of users on any new system that was breached, and use these credentials to log into additional systems via RDP. Volexity observed the attacker obtaining credentials in a variety of ways.
References (8)
- volexity.com - Active Exploitation Of Two Zero Day Vulnerabilities In Ivanti Connect Secure Vpn
- rewterz.com - Rewterz Threat Advisory Ivanti Vpn Zero Days Weaponized By Unc5221 Threat Actors To Deploy Multiple Malware Families Active Iocs
- mandiant.com - Suspected Apt Targets Ivanti Zero Day
- quointelligence.eu - Unc5221 Unreported And Undetected Wirefire Web Shell Variant
- volexity.com - Ivanti Connect Secure Vpn Exploitation New Observations
- mandiant.com - Investigating Ivanti Zero Day Exploitation
- bsi.bund.de - Aktive Apt Gruppen Node
- cloud.google.com - Ivanti Post Exploitation Lateral Movement
Aliases (220)
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
UNC5221
Red Dev 61
Metadata
| ID: | 573 |
| Created: | 13/01/2026 17:48 |
| Updated: | 09/03/2026 16:00 |