Skip to content

Hide Navigation Hide TOC

SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b)

SPAWNCHIMERA is a backdoor that supports command and control and can inject malicious components into native processes.(Citation: CISA SPAWNCHIMERA RESURGE February 2026)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: JPCERT SPAWNCHIMERA Ivanti February 2025) SPAWNCHIMERA It incorporates capabilities from multiple tools within the SPAWN malware family, including SPAWNANT, SPAWNMOLE, and SPAWNSNAIL.(Citation: Google UNC5221 Ivanti January 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: JPCERT SPAWNCHIMERA Ivanti February 2025) SPAWNCHIMERA was first reported in April 2024.(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024) SPAWNCHIMERA has been observed in activity attributed to People's Republic of China (PRC) state-sponsored threat actors, including UNC5221..(Citation: Google UNC5221 Ivanti January 2025)(Citation: Google UNC5221 Ivanti April 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: Picus Security UNC5221 Ivanti May 2025)

Cluster A Galaxy A Cluster B Galaxy B Level
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Delay Execution - T1678 (a1df809c-7d0e-459f-8fe5-25474bab770b) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Prevent Command History Logging - T1690 (b831f51c-d22f-4724-bbab-60d056bd1150) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern 1
SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern 1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern SPAWNCHIMERA - S9024 (d1974f35-0e06-478e-bc74-7530545d814b) Malware 1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern 2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825) Attack Pattern 2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2