216.73.216.233

Indicator (IOC)

yara Revoked AlienVault · Published 21/12/2025 08:44 · Modified 21/12/2025 08:44

Essential information

Value / Name
M_APT_Installer_SPAWNANT_1
Confidence
100/100
Revoked
Yes
Valid from
09/01/2025 10:03
Valid until
26/10/2025 21:12
Pattern type
yara
Published
21/12/2025 08:44
Modified
21/12/2025 08:44
Author / Source
AlienVault

Description

M_APT_Installer_SPAWNANT_1 Detects SPAWNANT. SPAWNANT is an Installer targeting Ivanti devices. Its purpose is to persistently install other malware from the SPAWN family (SPAWNSNAIL, SPAWNMOLE) as well as drop additional webshells on the box.

Pattern

rule M_APT_Installer_SPAWNANT_1
{ 
    meta: 
        author = "Mandiant" 
        description = "Detects SPAWNANT. SPAWNANT is an Installer targeting Ivanti devices. Its purpose is to persistently install other malware from the SPAWN family (SPAWNSNAIL, SPAWNMOLE) as well as drop additional webshells on the box." 
  
    strings: 
        $s1 = "dspkginstall" ascii fullword
        $s2 = "vsnprintf" ascii fullword
        $s3 = "bom_files" ascii fullword
        $s4 = "do-install" ascii
        $s5 = "ld.so.preload" ascii
        $s6 = "LD_PRELOAD" ascii
        $s7 = "scanner.py" ascii
        
    condition: 
        uint32(0) == 0x464c457f and 5 of ($s*)
}

Labels / Tags

Labels: credential theft dryhook ivanti phasejam spawnant spawnsloth vpn

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • UNC5337
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·