Skip to content

Hide Navigation Hide TOC

ZIPLINE - S1114 (d9765cbd-4c88-4805-ba98-4c6ccb56b864)

ZIPLINE is a passive backdoor that was used during Cutting Edge on compromised Secure Connect VPNs for reverse shell and proxy functionality.(Citation: Mandiant Cutting Edge January 2024)

Cluster A Galaxy A Cluster B Galaxy B Level
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern ZIPLINE - S1114 (d9765cbd-4c88-4805-ba98-4c6ccb56b864) Malware 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern ZIPLINE - S1114 (d9765cbd-4c88-4805-ba98-4c6ccb56b864) Malware 1
ZIPLINE - S1114 (d9765cbd-4c88-4805-ba98-4c6ccb56b864) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
ZIPLINE - S1114 (d9765cbd-4c88-4805-ba98-4c6ccb56b864) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
ZIPLINE - S1114 (d9765cbd-4c88-4805-ba98-4c6ccb56b864) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern ZIPLINE - S1114 (d9765cbd-4c88-4805-ba98-4c6ccb56b864) Malware 1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern ZIPLINE - S1114 (d9765cbd-4c88-4805-ba98-4c6ccb56b864) Malware 1
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern ZIPLINE - S1114 (d9765cbd-4c88-4805-ba98-4c6ccb56b864) Malware 1
ZIPLINE - S1114 (d9765cbd-4c88-4805-ba98-4c6ccb56b864) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2