Skip to main content
Mallory
Back to threat actors
7 malware familiesExploits CVEs in the wild

Velvet Ant

Also known asVelvet Ant

Velvet Ant is a Chinese APT / state-backed threat actor. The provided content attributes attacks to the Chinese APT Velvet Ant and describes activity spanning F5 BIG-IP devices, Cisco switches, and Windows hosts. The actor exploited legacy F5 BIG-IP appliances for persistence and used a modified /etc/rc.local file to maintain access. On compromised F5 devices, Velvet Ant used the custom tools VELVETSTING to parse encoded inbound commands and execute them via the Unix shell, and VELVETTAP for packet capture. The group used reverse SSH tunnels / a reverse SSH shell as an encrypted channel to communicate with victim devices, and tunneled victim traffic through an internal compromised host to proxy communications to command-and-control nodes. The content also states Velvet Ant exploited CVE-2024-20399 on authenticated Cisco switches, allowing escape from the NX-OS CLI to the underlying operating system for arbitrary command execution, and references attacks targeting Cisco, Palo Alto, and Ivanti network edge devices via path OS command injection vulnerabilities. In Windows environments, Velvet Ant used malicious DLLs executed via legitimate EXE files through DLL search order hijacking to launch follow-on payloads such as PlugX, including a malicious DLL named iviewers.dll that mimicked the legitimate OLE/COM Object Viewer. PlugX was executed and installed as a Windows service. Initial execution included launching multiple svchost processes and injecting code into them. Additional behavior directly described in the content includes use of WMI and Impacket tooling, including wmiexec.py for remote process execution, lateral file transfer via SMB and Windows administrative shares, and file transfer within victim networks using the Impacket toolkit. Velvet Ant enumerated local files and directories and existing network connections on victim devices. For defense evasion, Velvet Ant attempted to disable local security tools and endpoint detection and response software, and modified system firewall settings during PlugX installation by using netsh.exe to open a listening random high-numbered port. Known alias in the provided content: velvet_ant.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

31 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics53 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
3 techniques
T1078
Valid Accounts
T1078.003×2
Local Accounts
T1133×8
External Remote Services
T1190×6
Exploit Public-Facing Application
TA0002
Execution
4 techniques
T1047
Windows Management Instrumentation
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
T1059.004×2
Unix Shell
T1569
System Services
T1569.002×2
Service Execution
T1574
Hijack Execution Flow
T1574.001×3
DLL
TA0003
Persistence
5 techniques
T1037
Boot or Logon Initialization Scripts
T1037.004
RC Scripts
T1078
Valid Accounts
T1078.003×2
Local Accounts
T1112×2
Modify Registry
T1133×8
External Remote Services
T1505
Server Software Component
T1505.003
Web Shell
TA0004
Privilege Escalation
3 techniques
T1037
Boot or Logon Initialization Scripts
T1037.004
RC Scripts
T1055×6
Process Injection
T1078
Valid Accounts
T1078.003×2
Local Accounts
TA0005
Stealth
5 techniques
T1036
Masquerading
T1036.005
Match Legitimate Resource Name or Location
T1055×6
Process Injection
T1078
Valid Accounts
T1078.003×2
Local Accounts
T1211
Exploitation for Stealth
T1574
Hijack Execution Flow
T1574.001×3
DLL
TA0112
Defense Impairment
2 techniques
T1112×2
Modify Registry
T1601
Modify System Image
T1601.001
Patch System Image
TA0006
Credential Access
2 techniques
T1187
Forced Authentication
T1557
Adversary-in-the-Middle
T1557.001
Name Resolution Poisoning and SMB Relay
TA0007
Discovery
2 techniques
T1049×2
System Network Connections Discovery
T1083×4
File and Directory Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.002×3
SMB/Windows Admin Shares
T1021.004
SSH
TA0009
Collection
1 technique
T1557
Adversary-in-the-Middle
T1557.001
Name Resolution Poisoning and SMB Relay
TA0011
Command and Control
5 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1105×2
Ingress Tool Transfer
T1132
Data Encoding
T1572
Protocol Tunneling
T1573
Encrypted Channel
T1573.002
Asymmetric Cryptography
ARSENAL

Associated malware families

7 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Cobalt StrikeThis behavior is unusual and often associated with malicious activities, such as those performed by Cobalt Strike.4Mar 18, 2026
ImpacketThe following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.2Mar 17, 2026
PlugXDaggerfly has used legitimate software to side-load PlugX loaders... PlugX has the ability to use DLL search order hijacking... and ... DLL side-loading to evade anti-virus.2Mar 18, 2026
PsExecThe following analytic identifies instances where PsExec.exe has been renamed and executed on an endpoint. ... renaming PsExec.exe is a common tactic to evade detection. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access, lateral movement, or further compromise of the network.2Mar 17, 2026
VELVETTAPVelvet Ant has used a custom tool, "VELVETTAP", to perform packet capture from compromised F5 BIG-IP devices.2Mar 18, 2026

2 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

8 CVEs this actor has used in observed campaigns. 8 of them exploited in the wild.

CVE-2021-31207Post-auth arbitrary file write in Microsoft Exchange Server (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34473ProxyShell pre-auth SSRF/authentication bypass in Microsoft Exchange AutodiscoverIn the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34523Microsoft Exchange PowerShell Backend Elevation of Privilege (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2022-26134Atlassian Confluence Server and Data Center OGNL Injection RCEIn the wildEvidence1

The following analytic detects attempts to exploit CVE-2022-26134, an unauthenticated remote code execution vulnerability in Confluence... This activity is significant as it allows attackers to execute arbitrary code on the Confluence server without authentication, potentially leading to full system compromise.

CVE-2022-41040ProxyNotShell SSRF in Microsoft Exchange ServerIn the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

3 more CVEs tied to this actor tracked in Mallory.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
Apr 13, 2026
Detection: Windows EDRSilencer Execution | Splunk Security Content

Referenced as a threat actor associated with disabling or modifying tools.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Theme File Creation in Unusual Location | Splunk Security Content

Listed in the detection annotations as a threat actor associated with techniques involving Windows theme files, forced authentication, name resolution poisoning/SMB relay, and SMB/Windows admin shares.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Filtering Platform Policy Added to Block EDR Process | Splunk Security Content

Referenced as a threat actor associated with the defense-impairment technique of modifying Windows Filtering Platform policy to block EDR process communication.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows CrowdStrike Agent Registry Key Removal | Splunk Security Content

Referenced as a threat actor associated with the technique of disabling or modifying security tools, specifically in the context of CrowdStrike agent registry key removal detection.

Read more
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping31

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal7

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs8

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.