ZIPLINE
ZIPLINE is a passive backdoor associated with the China-nexus intrusion cluster UNC5221. Mandiant reported it among multiple custom malware families used by UNC5221 alongside LIGHTWIRE, THINSPOOL, WARPWIRE, and WIREFIRE during exploitation of Ivanti Connect Secure and Ivanti Policy Secure zero-day vulnerabilities CVE-2023-46805 and CVE-2024-21887. Reporting also describes UNC5221 as exploiting Ivanti zero-days to target government agencies and using custom malware including Spawnant and ZIPLINE.
Observed ZIPLINE capabilities include adding itself to the exclusion list for the Ivanti Connect Secure Integrity Checker Tool when the tar process is invoked with the --exclude parameter, creating a proxy server on compromised hosts, and communicating with command-and-control infrastructure using a custom binary protocol. The malware has been referenced in the context of UNC5221 operations against government and other organizations, and broader reporting on UNC5221 links the cluster to long-term espionage activity and compromises of edge or appliance technologies. Separately, Cisco Talos noted that the later PowMix campaign resembled an earlier "ZipLine" campaign in its use of ZIP-based payload distribution, scheduled task persistence, and Heroku for command-and-control, but the provided content does not establish that this campaign used the same ZIPLINE malware family.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti Connect Secure (ICS), previously known as Pulse Connect Secure and Ivanti Policy Secure. This vulnerability allows an attacker to bypass control checks and access restricted resources.
CVE-2024-21887 is a command injection vulnerability in the web component of Ivanti ICS and Policy Secure that can be abused to execute arbitrary commands by an authenticated user.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
According to Mandiant, UNC5221 has “leveraged multiple custom malware families” which includes LIGHTWIRE, a webshell, THINSPOOL, a webshell dropper, WARPWIRE, a credential harvester, WIREFIRE, another webshell and ZIPLINE, a passive backdoor.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueCVE-2024-21887 is a command injection vulnerability in the web component of Ivanti ICS and Policy Secure that can be abused to execute arbitrary commands by an authenticated user. | According to Ivanti and a blog by Volexity, these two vulnerabilities were exploited in the wild in a chained attack for unauthenticated remote code execution (RCE) as early as December 3, 2023. | CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti Connect Secure (ICS), previously known as Pulse Connect Secure and Ivanti Policy Secure. This vulnerability allows an attacker to bypass control checks and access restricted resources.
Execution
1 techniquePersistence
2 techniques"upload a web shell named SLAYSTYLE via the '/manager/text/deploy' endpoint"
Stealth
1 techniqueDiscovery
2 techniquesThe content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Command and Control
6 techniquesAPT41 used a tool called CLASSFON to covertly proxy network communications... BADCALL functions as a proxy server between the victim and C2 server... Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic...
Other
3 techniquesThe content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.
BlackByte Ransomware 'adds .JS and .EXE extensions to the Microsoft Defender exclusion list'; PureCrypter 'executed Set-MpPreference -ExclusionPath'; QakBot 'modify the Registry to add its binaries to the Windows Defender exclusion list'; Raspberry Robin 'add an exception to Microsoft Defender that excludes the entire main drive'; StrongPity 'add directories used by the malware to the Windows Defender exclusions list'; XLoader 'can add the path of its executable to the Microsoft Defender exclusion list'; ZIPLINE 'can add itself to the exclusion list for the Ivanti Connect Secure Integrity Checker Tool.'
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as an earlier campaign similar to PowMix, sharing ZIP-based payload delivery, scheduled task persistence, and Heroku-based command-and-control techniques.
A malware family associated with UNC5221 in campaigns exploiting virtualization technologies and Ivanti zero-days.
Custom malware attributed to UNC5221, used in operations exploiting Ivanti zero-days against government agencies.
Custom malware used by UNC5221 in campaigns exploiting Ivanti zero-days against government agencies (functionality not described in the content).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.