DWAgent
DWAgent is a legitimate remote administration tool that threat actors have deployed post-compromise to maintain persistent remote access to victim systems and to facilitate follow-on activity. In the provided reporting, it is repeatedly used alongside other dual-use and offensive tooling such as AnyDesk, Earthworm, SharpHound, Impacket, Rubeus, Certipy, and GoExec. Observed use cases include maintaining access to compromised endpoints, deploying additional payloads, supporting Active Directory reconnaissance, and enabling broader post-exploitation operations.
DWAgent appears in multiple intrusion clusters. Rapid7 reported MuddyWater/Seedworm, an Iranian MOIS-affiliated actor, using DWAgent and in at least one case AnyDesk after Microsoft Teams-based social engineering, credential harvesting, and MFA manipulation. In that intrusion, persistence involved RDP plus a DWAgent installation chain including dwagent.exe, pythonw.exe, dwagsvc.exe, and dwaglnc.exe. Cisco Talos and related reporting also describe China-linked UAT-8837 using DWAgent after initial access obtained via compromised credentials or exploitation of vulnerable servers, including Sitecore CVE-2025-53690. In those cases, DWAgent was used as a remote administration tool for persistence, remote control, and deployment of additional malware; one report specifically states it was installed as a SYSTEM service.
Targeting described in the content includes critical infrastructure organizations in North America and internet-exposed Sitecore environments. In Sitecore exploitation campaigns tied to CVE-2025-53690, DWAgent was deployed after successful authentication bypass and remote code execution via malicious ViewState payloads on endpoints such as /sitecore/blocked.aspx. Associated post-exploitation activity included creation of unauthorized administrator accounts, credential dumping, theft of web.config and registry hives, network tunneling with Earthworm, reconnaissance with WeepSteel and SharpHound, data staging with 7-Zip, and exfiltration.
High-confidence indicators directly mentioned for DWAgent include the filenames/processes dwagent.exe, pythonw.exe, dwagsvc.exe, and dwaglnc.exe, as well as unexpected DWAgent service installation or execution on compromised hosts.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
On September 3, 2025, a critical zero-day vulnerability (CVE-2025-53690) in the Sitecore Experience Platform sent shockwaves through the enterprise content management community. Exploited in-the-wild, this flaw allowed remote attackers to gain full control of vulnerable sites through ViewState deserialization attacks... Attackers were able to exploit this weakness, crafting malicious payloads that allowed them to execute arbitrary code on impacted servers.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
From there, the TA established persistence using remote access tools such as DWAgent and AnyDesk, before deploying additional payloads and further control of the environment.
DWAgent, to enable persistent remote access and Active Directory reconnaissance
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe intrusion Rapid7 examined started through Microsoft Teams social engineering... and, in some cases, deployed AnyDesk for remote access.
Initial Access: The attacker targets Sitecore installations exposed to the internet, specifically those running with factory-default or sample machine keys.
Execution
2 techniquesBy submitting specially crafted POST requests (e.g., to /sitecore/blocked.aspx), attackers achieved remote code execution (RCE).
Exploited in-the-wild, this flaw allowed remote attackers to gain full control of vulnerable sites through ViewState deserialization attacks
Persistence
3 techniquesThe intrusion Rapid7 examined started through Microsoft Teams social engineering... and, in some cases, deployed AnyDesk for remote access.
The DWAgent installation chain included: dwagent.exe ... dwagsvc.exe DWAgent service
Privilege Escalation
2 techniquesDiscovery
1 techniqueSome of the notable tools include ... DWAgent, to enable persistent remote access and Active Directory reconnaissance SharpHound, to collect Active Directory information ... Certipy, a tool for Active Directory discovery and abuse
Lateral Movement
2 techniquesThis included EARTHWORM for creating secret tunnels, DWAGENT for remote access, and SHARPHOUND for mapping the network.
After establishing initial access, the threat actors utilized RDP sessions and DWAgent, another remote management tool, to maintain persistence.
Command and Control
2 techniquesthe threat actors downloaded and installed WinRAR... In one case, the actors installed both WinRAR and Google Chrome... Sophos observed the Akira actors dropping a bespoke Trojan
Specifically, Kimsuky leveraged legitimate VS Code tunneling mechanisms to establish persistence and distributed the open-source DWAgent remote monitoring and management tool for post-exploitation activities.
Impact
1 techniqueSitecore, widely used by Fortune 500 companies and large organizations, was found to have a major flaw in its handling of ASP.NET ViewState when default or sample machine keys were present.
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Legitimate remote management tool abused by the threat actor for persistence and remote control after credential compromise.
Legitimate remote administration tool abused for remote control and persistence (installed as a SYSTEM service) during post-exploitation activity.
A remote administration tool used to maintain access and facilitate deployment of additional payloads post-compromise.
A remote access tool used to maintain persistent access and assist with Active Directory reconnaissance.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.