1. Home
  2. Software
  3. DRYHOOK

DRYHOOK

DRYHOOK is Python script used to steal credentials. DRYHOOK was first reported in January 2025, and has previously been leveraged by People's Republic of China (PRC) state-affiliated threat actors identified as UNC5221 and SYLVANITE.[1][2][3]

ID: S9013
Type: MALWARE
Platforms: Linux, Network Devices
Contributors: Dragos Threat Intelligence
Version: 1.0
Created: 14 April 2026
Last Modified: 23 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .006 Command and Scripting Interpreter: Python

DRYHOOK is a Python-based script that executes within the victim environment.[2][3]
.008 Command and Scripting Interpreter: Network Device CLI

DRYHOOK has the ability to interact with Ivanti Connect Secure environments and to modify system components.[2][3]
Enterprise T1074 .001 Data Staged: Local Data Staging

DRYHOOK has stored stolen credentials for future use in the temp folder of a victimized Ivanti Connect Secure VPN device, specifically in the file location /tmp/cmmmap.kumMW.[2][3]
Enterprise T1685 Disable or Modify Tools

DRYHOOK has killed all instances of the cgi-server process in order for the modified Perl module to be activated.[2]
Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac Permissions

DRYHOOK has the ability to remount the filesystem as "read-write" to make changes and then restores it to "read-only" prior to killing processes to apply the modifications.[2][3]
Enterprise T1056 .001 Input Capture: Keylogging

DRYHOOK has captured user credentials and passwords in plaintext and has encrypted them in a stored file on the network device.[2][3]
Enterprise T1556 Modify Authentication Process

DRYHOOK has intercepted and logged user credentials by modifying the Perl module in Ivanti Connect Secure VPN edge-devices located within /home/perl/DSAuth.pm.[2][3]
.004 Network Device Authentication

DRYHOOK has patched victim appliances authentication routines to capture credentials in plaintext as users log in.[2]
Enterprise T1601 Modify System Image

DRYHOOK has modified the Ivanti Connect Secure VPN authentication Perl module DSAuth.pm by reading its contents in the buffer, then finding and replacing select lines of code.[2][3]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

DRYHOOK has encrypted stolen credentials strings within a file using both Base64 and RC4 with a hard-coded key.[2][3]
Enterprise T1489 Service Stop

DRYHOOK has terminated all instances of the cgi-server process before activating the modified DSAuth.pm file.[2]

References

  1. Dragos. (2026, March 24). Dragos 2026 OT Cybersecurity Report: Year in Review, O&G and Petrochemicals Focus. Retrieved April 17, 2026.
  2. John Wolfram, Josh Murchie, Matt Lin, Daniel Ainsworth, Robert Wallace, Dimiter Andonov, Dhanesh Kizhakkinan, Jacob Thompson. (2025, January 8). Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation. Retrieved April 14, 2026.
  1. Sila Ozeren Hacioglu. (2025, May 5). UNC5221’s Latest Exploit: Weaponizing CVE-2025-22457 in Ivanti Connect Secure. Retrieved April 13, 2026.