216.73.217.172

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:41 · Modified 21/12/2025 02:17

Essential information

Value / Name
af43ba807e14047fdcd92519016c0e53e0f124fd
Confidence
100/100
Revoked
Yes
Valid from
15/01/2024 11:55
Valid until
19/04/2025 12:55
Pattern type
yara
Published
20/12/2025 19:41
Modified
21/12/2025 02:17
Author / Source
AlienVault

Description

This rule detects unique strings in ZIPLINE, a passive ELF backdoor that waits for incoming TCP connections to receive commands from the threat actor.

Pattern

rule M_Hunting_Backdoor_ZIPLINE_1 {   
   meta:   
   author = "Mandiant"   
   description = "This rule detects unique strings in ZIPLINE, a passive ELF backdoor that waits for incoming TCP connections to receive commands from the threat actor."   
   strings:   
   $s1 = "SSH-2.0-OpenSSH_0.3xx" ascii   
   $s2 = "$(exec $installer $@)" ascii   
   $t1 = "./installer/do-install" ascii   
   $t2 = "./installer/bom_files/" ascii   
   $t3 = "/tmp/data/root/etc/ld.so.preload" ascii   
   $t4 = "/tmp/data/root/home/etc/manifest/exclusion_list" ascii   
   condition:   
   uint32(0) == 0x464c457f and   
   filesize < 5MB and   
   ((1 of ($s*)) or   
   (3 of ($t*)))   
   }

Labels / Tags

Labels: ivanti ivanti connect secure vpn ivanti policy secure lightwire thinspool unc5221 warpwire webshell zipline passive

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.