WARPWIRE is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during Cutting Edge to target Ivanti Connect Secure VPNs.[1][2]

ID: S1116
Platforms: Network
Version: 1.0
Created: 05 March 2024
Last Modified: 29 March 2024

Techniques Used

Domain ID Name Use
Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript

WARPWIRE is a credential harvester written in JavaScript.[1]

Enterprise T1554 Compromise Host Software Binary

WARPWIRE can embed itself into a legitimate file on compromised Ivanti Connect Secure VPNs.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

WARPWIRE can Base64 encode captured credentials with btoa() prior to sending to C2.[1]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

WARPWIRE can send captured credentials to C2 via HTTP GET or POST requests.[1][2]

Enterprise T1056 .003 Input Capture: Web Portal Capture

WARPWIRE can capture credentials submitted during the web logon process in order to access layer seven applications such as RDP.[1]


ID Name Description
C0029 Cutting Edge