BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)

BOLDMOVE is a type of backdoor malware written in C linked to People’s Republic of China operations from 2022 through 2023. BOLDMOVE includes both Windows and Linux variants, with some Linux variants specifically designed for FortiGate Firewall devices. BOLDMOVE is linked to zero-day exploitation of CVE-2022-42475 in FortiOSS SSL-VPNs.(Citation: Google Cloud BOLDMOVE 2023) The record for BOLDMOVE only covers known Linux variants.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)	Malware	1
BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)	Malware	1
BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)	Malware	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	1
BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)	Malware	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	1
BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)	Malware	1
BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)	Malware	Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5)	Attack Pattern	1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)	Malware	1
BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)	Malware	Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)	Malware	1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)	Malware	1
BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)	Malware	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	1
BOLDMOVE - S1184 (325fa466-4a2a-45a0-acc6-f6bed9b45ebe)	Malware	Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da)	Attack Pattern	1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2