1. Home
  2. Software
  3. BRUSHFIRE

BRUSHFIRE

BRUSHFIRE is a passive backdoor written in C that executes in-memory within an existing process. First reported in March 2025, BRUSHFIRE has been observed in activity attributed to People's Republic of China (PRC) state-affiliated threat actors, including UNC5221 and SYLVANITE.[1][2][3]

ID: S9011
Type: MALWARE
Platforms: Linux, Network Devices
Contributors: Dragos Threat Intelligence
Version: 1.0
Created: 13 April 2026
Last Modified: 23 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

BRUSHFIRE has decrypted XOR strings prior to execution.[2]
Enterprise T1048 .002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

BRUSHFIRE has the ability to exfiltrate data on-demand through executing commands obtained via monitoring for specially crafted packets and sending output back in an embedded SSL response.[3]
Enterprise T1620 Reflective Code Loading

BRUSHFIRE has executed its commands within memory and is not saved on disk.[2][3]
Enterprise T1205 Traffic Signaling

BRUSHFIRE has monitored inbound VPN traffic to compromised appliances until specific inbound packets contain a specific magic string/pattern instead of external beaconing.[3]

References

  1. Dragos. (2026, March 24). Dragos 2026 OT Cybersecurity Report: Year in Review, O&G and Petrochemicals Focus. Retrieved April 17, 2026.
  2. John Wolfram, Michael Edie, Jacob Thompson, Matt Lin, Josh Murchie. (2025, April 3). Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457). Retrieved April 13, 2026.
  1. Sila Ozeren Hacioglu. (2025, May 5). UNC5221’s Latest Exploit: Weaponizing CVE-2025-22457 in Ivanti Connect Secure. Retrieved April 13, 2026.