BRUSHFIRE - S9011 (e110c9c6-7691-4bcb-874d-3d83a63c06c2)

BRUSHFIRE is a passive backdoor written in C that executes in-memory within an existing process. First reported in March 2025, BRUSHFIRE has been observed in activity attributed to People's Republic of China (PRC) state-affiliated threat actors, including UNC5221 and SYLVANITE.(Citation: Dragos SYLVANITE MuddyWater Electrum March 2026)(Citation: Google UNC5221 Ivanti April 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	BRUSHFIRE - S9011 (e110c9c6-7691-4bcb-874d-3d83a63c06c2)	Malware	1
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5)	Attack Pattern	BRUSHFIRE - S9011 (e110c9c6-7691-4bcb-874d-3d83a63c06c2)	Malware	1
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	BRUSHFIRE - S9011 (e110c9c6-7691-4bcb-874d-3d83a63c06c2)	Malware	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	BRUSHFIRE - S9011 (e110c9c6-7691-4bcb-874d-3d83a63c06c2)	Malware	1
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5)	Attack Pattern	2