TRAILBLAZE is a newly identified in-memory-only dropper observed by Mandiant in post-exploitation activity following exploitation of CVE-2025-22457, a critical buffer overflow vulnerability affecting Ivanti Connect Secure VPN appliances version 22.7R2.5 and earlier. The activity was attributed by Google Threat Intelligence Group/Mandiant to UNC5221, a suspected China-nexus espionage actor. TRAILBLAZE was deployed beginning in at least mid-March 2025 alongside BRUSHFIRE, a passive backdoor, and components of the SPAWN malware ecosystem. High-confidence reporting describes TRAILBLAZE as written in bare C, using raw syscalls, designed to be minimal, and intended to fit within a shell script as Base64-encoded content. Mandiant observed a shell-script dropper that executed TRAILBLAZE after successful exploitation, searched for a /home/bin/web process that was a child of another /home/bin/web process, created temporary files in /tmp including .p, .m, .w, .s, .r, and .i, injected BRUSHFIRE into a running /home/bin/web process, deleted temporary files, and cleared /data/var/cores as cleanup. The observed tradecraft was non-persistent and required re-execution after reboot of the system or process. The broader campaign targeted edge devices, specifically Ivanti Connect Secure appliances, and was associated with stealth-focused post-compromise operations.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Post-exploitation activity includes deploying newly identified malware: TRAILBLAZE (in-memory dropper) and BRUSHFIRE (passive backdoor). | Mandiant (part of Google Cloud) is releasing details on active exploitation of a critical buffer overflow vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (ICS) VPN appliances (versions 22.7R2.5 and earlier). We identified the suspected China-nexus espionage actor UNC5221 exploiting this flaw in the wild for remote code execution in their operations, dating back to mid-March.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Post-exploitation activity includes deploying newly identified malware: TRAILBLAZE (in-memory dropper) and BRUSHFIRE (passive backdoor).
11 distinct techniques documented for this family, organized by ATT&CK tactic.
"Mandiant observed the deployment of two newly identified malware families ... through a shell script dropper."
"TRAILBLAZE leverages raw syscalls and Base64 encoding to stay lightweight"
"use of a shell-script dropper to inject TRAILBLAZE and BRUSHFIRE into a live web process, avoiding persistence and focusing on stealth"
Examples throughout the content include deleting tools, logs, malware-related files, staged archives, screenshots, temporary files, and exfiltrated data 'to cover their tracks,' 'reduce their footprint,' 'remove traces of activity,' or as part of 'post-intrusion cleanup.'
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware deployed via exploitation of Ivanti Connect Secure CVE-2025-22457 (as described).
An in-memory dropper deployed post-exploitation on Ivanti Connect Secure appliances; injected into a live web process via shell script, designed for stealth (no persistence), and described as lightweight using raw syscalls and Base64 encoding.
An in-memory dropper deployed after exploitation of Ivanti Connect Secure devices.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.