Skip to content

Hide Navigation Hide TOC

TRAILBLAZE - S9012 (b82b9e25-e37b-4f7c-b1f0-2c2eea4f4be9)

TRAILBLAZE is an in-memory dropper used to deploy the passive backdoor BRUSHFIRE. First reported in March 2025, TRAILBLAZE has been observed in operations attributed to People's Republic of China (PRC) state-sponsored affiliated actors, including UNC5221 and SYLVANITE. (Citation: Dragos SYLVANITE MuddyWater Electrum March 2026)(Citation: Google UNC5221 Ivanti April 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)

Cluster A Galaxy A Cluster B Galaxy B Level
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern TRAILBLAZE - S9012 (b82b9e25-e37b-4f7c-b1f0-2c2eea4f4be9) Malware 1
TRAILBLAZE - S9012 (b82b9e25-e37b-4f7c-b1f0-2c2eea4f4be9) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
TRAILBLAZE - S9012 (b82b9e25-e37b-4f7c-b1f0-2c2eea4f4be9) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
TRAILBLAZE - S9012 (b82b9e25-e37b-4f7c-b1f0-2c2eea4f4be9) Malware Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 2