🇨🇳 CN4 malware families

UNC4540

Also known asUNC4540

UNC4540 is a suspected Chinese cyber espionage threat actor tracked by Mandiant. The actor has been observed targeting unpatched SonicWall Secure Mobile Access (SMA) appliances, with evidence that some infections may date back to 2021. Mandiant and SonicWall PSIRT reported that UNC4540 used a custom malware suite tailored for SonicWall devices to obtain highly privileged access, steal credentials, maintain shell access, and persist through reboots and firmware upgrades. Observed tooling includes a primary bash-based malware component named "firewalld," a redundant backup script named "iptabled," a firmware-manipulation script named "geoBotnetd," a shutdown-related script named "ifconfig6," and a TinyShell backdoor variant deployed as "/bin/httpsd." The malware queried the appliance session SQLite database to steal usernames and hashed passwords of logged-in users, storing the results in "/tmp/syslog.db" for later offline cracking. It also launched TinyShell in reverse-shell mode to provide attacker access. UNC4540 implemented multiple persistence mechanisms. The malware used "/etc/rc.d/rc.local" for startup persistence, had redundant watchdog-style scripts that restarted each other if one failed, patched the legitimate SonicWall binary "firebased," and monitored for new firmware images at "/cf/FIRMWARE/NEW/INITRD.GZ." When new firmware was detected, the actor's tooling unpacked and modified the firmware image to reinsert the malware and added a backdoor root user named "acme" so access would survive firmware updates. Mandiant stated this firmware manipulation was observed post-exploitation on already infected devices and was not observed as a supply-chain attack. Mandiant said the exact initial infection vector was unclear, but assessed the targeted devices were unpatched and likely exposed to older vulnerabilities. Mandiant also noted similarities between this activity and broader Chinese targeting of internet-facing network appliances for initial access, persistence, and eventual enterprise intrusion. Known alias: UNC4540.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

10 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

6 of 15 tactics15 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1190

Exploit Public-Facing Application

TA0002

Execution

1 technique

T1059

Command and Scripting Interpreter

T1059.004×2

Unix Shell

TA0003

Persistence

4 techniques

T1037

Boot or Logon Initialization Scripts

T1037.004

RC Scripts

T1136

Create Account

T1136.001

Local Account

T1505

Server Software Component

T1505.003

Web Shell

T1543

Create or Modify System Process

TA0004

Privilege Escalation

2 techniques

T1037

Boot or Logon Initialization Scripts

T1037.004

RC Scripts

T1543

Create or Modify System Process

TA0006

Credential Access

1 technique

T1003×2

OS Credential Dumping

TA0011

Command and Control

1 technique

T1219

Remote Access Tools

ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

TINYSHELLThe malware used on SonicWall devices consists of an ELF binary, the TinyShell backdoor, and several bash scripts that show a deep understanding of the targeted network devices.2May 26, 2026

firewalldThe main module, named 'firewalld,' executes SQL commands against the appliance's database to steal the hashed credentials of all logged-in users.1May 26, 2026

geoBotnetdAdditionally, the attackers implemented a process where a bash script ("geoBotnetd") checks for new firmware updates at "/cf/FIRMWARE/NEW/INITRD.GZ" every 10 seconds.1May 26, 2026

iptabledFor example, there's a script named "iptabled" that is essentially the same module as firewalld but will be only called by the startup script ("rc.local") if the primary malware process exits, crashes, or can't be launched.1May 26, 2026

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

bleeping computerNews

Aug 26, 2024

SonicWall warns of critical access control flaw in SonicOS

Targeted SonicWall Secure Mobile Access (SMA) appliances, deploying custom malware designed to persist even after firmware upgrades (suggesting a focus on durable access to edge devices for follow-on operations).

bleeping computerNews

Mar 9, 2023

SonicWall devices infected by malware that survives firmware upgrades

Targeting unpatched SonicWall SMA appliances to install custom malware for long-term persistence, credential theft, reverse shell access, and cyber espionage.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping10

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.