BRUSHFIRE is a newly identified passive backdoor observed by Mandiant in post-exploitation activity following exploitation of CVE-2025-22457, a critical buffer overflow vulnerability affecting Ivanti Connect Secure VPN appliances version 22.7R2.5 and earlier. The activity was attributed to UNC5221, a suspected China-nexus espionage actor, with exploitation observed beginning in mid-March 2025. BRUSHFIRE was deployed alongside TRAILBLAZE, an in-memory dropper, and in operations that also involved components of the SPAWN malware ecosystem. BRUSHFIRE is written in bare C and functions as an SSL_read hook. It executes the original SSL_read call, checks whether returned data begins with a specific trigger string, and when that trigger is present, XOR-decrypts and executes shellcode contained in the received data. If the executed shellcode returns a value, BRUSHFIRE uses SSL_write to send that value back. Mandiant observed a shell-script dropper that, after successful exploitation, executed TRAILBLAZE and injected BRUSHFIRE into a running /home/bin/web process, specifically identifying a /home/bin/web process that was a child of another /home/bin/web process. The dropper created temporary files in /tmp including .p, .m, .w, .s, .r, and .i, then deleted the created files and cleared /data/var/cores as cleanup. The observed deployment was non-persistent and had to be re-executed after reboot of the system or process. High-confidence indicators and behavioral artifacts mentioned in the reporting include injection into /home/bin/web, use of SSL_read and SSL_write hooks, XOR-decrypted shellcode execution triggered by specific inbound data, temporary files in /tmp (.p, .m, .w, .s, .r, .i), and clearing of /data/var/cores.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Mandiant (part of Google Cloud) is releasing details on active exploitation of a critical buffer overflow vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (ICS) VPN appliances (versions 22.7R2.5 and earlier). We identified the suspected China-nexus espionage actor UNC5221 exploiting this flaw in the wild for remote code execution in their operations, dating back to mid-March. | Post-exploitation activity includes deploying newly identified malware: TRAILBLAZE (in-memory dropper) and BRUSHFIRE (passive backdoor).
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Post-exploitation activity includes deploying newly identified malware: TRAILBLAZE (in-memory dropper) and BRUSHFIRE (passive backdoor).
9 distinct techniques documented for this family, organized by ATT&CK tactic.
"Mandiant observed the deployment of two newly identified malware families ... through a shell script dropper."
"use of a shell-script dropper to inject TRAILBLAZE and BRUSHFIRE into a live web process, avoiding persistence and focusing on stealth"
"It then deletes all of the temporary files previously created ... as well as the contents of the /data/var/cores directory."
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware deployed via exploitation of Ivanti Connect Secure CVE-2025-22457 (as described).
A passive backdoor injected into a live web process on Ivanti Connect Secure; hooks SSL_read to execute encrypted payloads, emphasizing stealth and avoiding persistence.
A passive backdoor deployed post-exploitation on compromised Ivanti Connect Secure appliances.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.