PITSTOP is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during Cutting Edge to enable command execution and file read/write.[1]

ID: S1123
Platforms: Network
Version: 1.0
Created: 13 March 2024
Last Modified: 17 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

PITSTOP has the ability to receive shell commands over a Unix domain socket.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

PITSTOP can deobfuscate base64 encoded and AES encrypted commands.[1]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

PITSTOP has the ability to communicate over TLS.[1]

Enterprise T1559 Inter-Process Communication

PITSTOP can listen over the Unix domain socket located at /data/runtime/cockpit/wd.fd.[1]

Enterprise T1205 .002 Traffic Signaling: Socket Filters

PITSTOP can listen and evaluate incoming commands on the domain socket, created by PITHOOK malware, located at /data/runtime/cockpit/wd.fd for a predefined magic byte sequence. PITSTOP can then duplicate the socket for further communication over TLS.[1]


ID Name Description
C0029 Cutting Edge