MalwareUsed by 2 actorsExploits 1 CVE

Jaguar Tooth

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2017-6742Cisco IOS and IOS XE SNMP Remote Code ExecutionExploited in the wild

It has been observed being deployed and executed via exploitation of the patched SNMP vulnerability CVE-2017-6742. ... If a valid SNMP community string is discovered, the threat actors exploit the CVE-2017-6742 SNMP vulnerability, fixed in June 2017. This vulnerability is an unauthenticated, remote code execution flaw with publicly available exploit code. | APT28 hackers have been exploiting an old SNMP flaw on Cisco IOS routers to deploy a custom malware named 'Jaguar Tooth.' Custom Cisco IOS router malware Jaguar Tooth is malware injected directly into the memory of Cisco routers running older firmware versions. Once installed, the malware exfiltrates information from the router and provides unauthenticated backdoor access to the device.

via bleeping computerbleepingcomputer.com

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT28

APT28 hackers have been exploiting an old SNMP flaw on Cisco IOS routers to deploy a custom malware named 'Jaguar Tooth.' Custom Cisco IOS router malware Jaguar Tooth is malware injected directly into the memory of Cisco routers running older firmware versions. Once installed, the malware exfiltrates information from the router and provides unauthenticated backdoor access to the device.

via bleeping computerbleepingcomputer.com

APT29

One of the NCSC's earlier advisories, dated April 2023, noted that similar attacks on Cisco routers resulted in APT28 deploying Jaguar Tooth malware, establishing backdoors for follow-on attacks.

via register securitygo.theregister.com

MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique

T1595Active ScanningEvidence1

To install the malware, the threat actors scan for public Cisco routers using weak SNMP community strings, such as the commonly used 'public' string.

Initial Access

2 techniques

T1133External Remote ServicesEvidence1

...deploying Jaguar Tooth malware..., establishing backdoors for follow-on attacks.

T1190Exploit Public-Facing ApplicationEvidence2

It has been observed being deployed and executed via exploitation of the patched SNMP vulnerability CVE-2017-6742.

Execution

1 technique

T1059Command and Scripting InterpreterEvidence1

the malware creates a new process named 'Service Policy Lock' that collects the output from the following Command Line Interface (CLI) commands

Persistence

1 technique

T1133External Remote ServicesEvidence1

...deploying Jaguar Tooth malware..., establishing backdoors for follow-on attacks.

Command and Control

1 technique

T1105Ingress Tool TransferEvidence1

...similar attacks on Cisco routers resulted in APT28 deploying Jaguar Tooth malware..., establishing backdoors for follow-on attacks.

Exfiltration

1 technique

T1048Exfiltration Over Alternative ProtocolEvidence1

It includes functionality to collect device information, which it exfiltrates over TFTP

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

Apr 7, 2026

Russia's APT28 behind latest wave of router, DNS attacks • The Register

Malware deployed by APT28 on compromised Cisco routers to establish a backdoor for follow-on attacks.

bleeping computerNews

Apr 18, 2023

US, UK warn of govt hackers using custom malware on Cisco routers

Custom, non-persistent Cisco IOS router malware that is injected into router memory, collects device information, exfiltrates it over TFTP, and enables unauthenticated backdoor access including access to existing local accounts without password verification via Telnet or physical session.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.