Hide Navigation Hide TOC

UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)

UNC5337 is a suspected China-nexus espionage actor that compromised Ivanti Connect Secure VPN appliances as early as Jan. 2024. UNC5337 is suspected to exploit CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) for infecting Ivanti Connect Secure appliances. UNC5337 leveraged multiple custom malware families including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility. Mandiant suspects with medium confidence that UNC5337 is UNC5221.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
SPAWNANT (e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87)	Tool	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	1
SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)	Tool	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	1
SPAWNSLOTH (2c237974-edc2-460a-90b5-20f699560da3)	Tool	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	1
UTA0178 (f288f686-b5b3-4c86-9960-5f8fb18709a3)	Threat Actor	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	1
SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	1
SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)	Tool	SPAWNANT (e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87)	Tool	2
SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	SPAWNANT (e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87)	Tool	2
SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)	Tool	SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	2
SPAWNSLOTH (2c237974-edc2-460a-90b5-20f699560da3)	Tool	SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	2
UTA0178 (f288f686-b5b3-4c86-9960-5f8fb18709a3)	Threat Actor	ROOTROT (69d0512d-c12a-4e17-a335-deba012a8499)	Tool	2
UTA0178 (f288f686-b5b3-4c86-9960-5f8fb18709a3)	Threat Actor	BRICKSTORM (64a0e3ab-e201-4fdc-9836-85365dfa84bb)	Backdoor	2