TRAILBLAZE
TRAILBLAZE is an in-memory dropper used to deploy the passive backdoor BRUSHFIRE. First reported in March 2025, TRAILBLAZE has been observed in operations attributed to People's Republic of China (PRC) state-sponsored affiliated actors, including UNC5221 and SYLVANITE. [1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
TRAILBLAZE has the ability to delete temporary files and contents in specified directories to cover its tracks.[2][3] |
| Enterprise | T1106 | Native API |
TRAILBLAZE has leveraged raw syscalls to execute commands.[2][3] |
|
| Enterprise | T1057 | Process Discovery |
TRAILBLAZE has conducted process discovery by searching for specific named processes such as |
|
| Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
TRAILBLAZE has injected a hook into an existing process to load BRUSHFIRE in the spaces allocated memory to include the Ivanti Connect Secure (ICS) web process named |
References
- Dragos. (2026, March 24). Dragos 2026 OT Cybersecurity Report: Year in Review, O&G and Petrochemicals Focus. Retrieved April 17, 2026.
- John Wolfram, Michael Edie, Jacob Thompson, Matt Lin, Josh Murchie. (2025, April 3). Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457). Retrieved April 13, 2026.