LITTLELAMB.WOOLTEA is a backdoor that was used by UNC5325 during Cutting Edge to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.[1]

ID: S1121
Platforms: Network
Version: 1.0
Created: 13 March 2024
Last Modified: 17 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1554 Compromise Host Software Binary

LITTLELAMB.WOOLTEA can append malicious components to the tmp/tmpmnt/bin/samba_upgrade.tar archive inside the factory reset partition in attempt to persist post reset.[1]

Enterprise T1543 Create or Modify System Process

LITTLELAMB.WOOLTEA can initialize itself as a daemon to run persistently in the background.[1]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

LITTLELAMB.WOOLTEA can communicate over SSL using the private key from the Ivanti Connect Secure web server.[1]

Enterprise T1083 File and Directory Discovery

LITTLELAMB.WOOLTEA can monitor for system upgrade events by checking for the presence of /tmp/data/root/dev.[1]

Enterprise T1095 Non-Application Layer Protocol

LITTLELAMB.WOOLTEA can function as a stand-alone backdoor communicating over the /tmp/clientsDownload.sock socket.[1]

Enterprise T1090 Proxy

LITTLELAMB.WOOLTEA has the ability to function as a SOCKS proxy.[1]

Enterprise T1082 System Information Discovery

LITTLELAMB.WOOLTEA can check the type of Ivanti VPN device it is running on by executing first_run() to identify the first four bytes of the motherboard serial number.[1]


ID Name Description
C0029 Cutting Edge