PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)

PHASEJAM is a dropper written as a bash shell script that modifies Ivanti Connect Secure appliance components. PHASEJAM was first reported in January 2025. PHASEJAM has previously been leveraged by People's Republic of China (PRC)- affiliated actors identified as UNC5221 and SYLVANITE.(Citation: Dragos SYLVANITE MuddyWater Electrum March 2026)(Citation: Google UNC5221 Ivanti January 2025)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2)	Attack Pattern	PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)	Malware	1
PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)	Malware	Delay Execution - T1678 (a1df809c-7d0e-459f-8fe5-25474bab770b)	Attack Pattern	1
PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)	Malware	Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5)	Attack Pattern	1
PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	1
PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)	Malware	Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)	Malware	1
Modify or Spoof Tool UI - T1685.003 (0ff4bd68-aebb-4039-9e00-9f92c705edf4)	Attack Pattern	PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)	Malware	1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)	Malware	1
PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)	Malware	Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	1
PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)	Malware	Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b)	Attack Pattern	1
PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)	Malware	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	1
Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931)	Attack Pattern	PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)	Malware	1
Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4)	Attack Pattern	PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)	Malware	1
PHASEJAM - S9014 (ca3f5123-b853-45ef-83cb-1d1bca22e03f)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	1
Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	2
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	Modify or Spoof Tool UI - T1685.003 (0ff4bd68-aebb-4039-9e00-9f92c705edf4)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b)	Attack Pattern	2
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2