DRYHOOK - S9013 (e9c72c02-b55a-4852-b2eb-c7031d215414)

DRYHOOK is Python script used to steal credentials. DRYHOOK was first reported in January 2025, and has previously been leveraged by People's Republic of China (PRC) state-affiliated threat actors identified as UNC5221 and SYLVANITE.(Citation: Dragos SYLVANITE MuddyWater Electrum March 2026)(Citation: Google UNC5221 Ivanti January 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
DRYHOOK - S9013 (e9c72c02-b55a-4852-b2eb-c7031d215414)	Malware	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	1
DRYHOOK - S9013 (e9c72c02-b55a-4852-b2eb-c7031d215414)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	1
DRYHOOK - S9013 (e9c72c02-b55a-4852-b2eb-c7031d215414)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	1
DRYHOOK - S9013 (e9c72c02-b55a-4852-b2eb-c7031d215414)	Malware	Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4)	Attack Pattern	1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	DRYHOOK - S9013 (e9c72c02-b55a-4852-b2eb-c7031d215414)	Malware	1
DRYHOOK - S9013 (e9c72c02-b55a-4852-b2eb-c7031d215414)	Malware	Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	1
DRYHOOK - S9013 (e9c72c02-b55a-4852-b2eb-c7031d215414)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	1
DRYHOOK - S9013 (e9c72c02-b55a-4852-b2eb-c7031d215414)	Malware	Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	1
DRYHOOK - S9013 (e9c72c02-b55a-4852-b2eb-c7031d215414)	Malware	Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd)	Attack Pattern	1
DRYHOOK - S9013 (e9c72c02-b55a-4852-b2eb-c7031d215414)	Malware	Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754)	Attack Pattern	1
DRYHOOK - S9013 (e9c72c02-b55a-4852-b2eb-c7031d215414)	Malware	Linux and Mac Permissions - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	1
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd)	Attack Pattern	Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	2
Linux and Mac Permissions - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	2