1. Home
  2. Software
  3. PHASEJAM

PHASEJAM

PHASEJAM is a dropper written as a bash shell script that modifies Ivanti Connect Secure appliance components. PHASEJAM was first reported in January 2025. PHASEJAM has previously been leveraged by People's Republic of China (PRC)- affiliated actors identified as UNC5221 and SYLVANITE.[1][2]

ID: S9014
Type: MALWARE
Platforms: Linux, Network Devices
Contributors: Dragos Threat Intelligence
Version: 1.0
Created: 16 April 2026
Last Modified: 23 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .008 Command and Scripting Interpreter: Network Device CLI

PHASEJAM has leveraged native commands associated with the compromised network appliance to execute code.[2]
Enterprise T1554 Compromise Host Software Binary

PHASEJAM has modified legitimate components to enable persistence and execution, including inserting a web shell into getComponent.cgi and restAuth.cgi, modifying DSUpgrade.pm to block system upgrades, and overwriting remotedebug to execute arbitrary commands when specific parameters are provided.[2]
Enterprise T1565 Data Manipulation

PHASEJAM has blocked legitimate upgrades of Ivanti Connect Secure systems and falsely indicates a successful upgrade while operating on an older version.[2]
Enterprise T1678 Delay Execution

PHASEJAM has used the sleep command within its code to generate a fake HTML upgrade progress bar that mimics a running process.[2]
Enterprise T1140 Deobfuscate/Decode Files or Information

PHASEJAM has the ability to decode Base64 commands and data.[2]
Enterprise T1685 Disable or Modify Tools

PHASEJAM has modified Ivanti Connect Secure appliances and blocks the system upgrades by altering the DSUpgrade.pm file.[2]
.003 Modify or Spoof Tool UI

PHASEJAM has prevented legitimate Ivanti Connect Secure system upgrades by intercepting the upgrade command and rendering fake HTML upgrade progress bar through a function called processUpgradeDisplay() which allowed the compromised device to remain under the control of the adversary.[2]
Enterprise T1546 .004 Event Triggered Execution: Unix Shell Configuration Modification

PHASEJAM has used a bash script to modify components on Ivanti Connect Secure appliances and execute files via /bin/bash.[1] It has also used the Linux stream editor (sed) to execute commands.[2]
Enterprise T1041 Exfiltration Over C2 Channel

PHASEJAM has the ability to exfiltrate data from the victim appliance.[2]
Enterprise T1105 Ingress Tool Transfer

PHASEJAM has the ability to upload files onto the compromised appliance.[2]
Enterprise T1036 .003 Masquerading: Rename Legitimate Utilities

PHASEJAM has renamed the file /home/bin/remotedebug to remotedebug.bak, allowing the threats actors to write a malicious /home/bin/remotedebug shell script.[2]
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

PHASEJAM has encoded commands with Base64.[2]
.013 Obfuscated Files or Information: Encrypted/Encoded File

PHASEJAM has launched a webshell using the MIME::Base64 module that encoded and decoded Base64 commands.[2]
Enterprise T1505 .003 Server Software Component: Web Shell

PHASEJAM has inserted Perl-based web shells into legitimate files that provided threat actors with remote access and code execution capabilities on the compromised network appliance.[2]
Enterprise T1489 Service Stop

PHASEJAM has disabled the cgi-server process on Ivanti Connect Secure appliances.[2]

References

  1. Dragos. (2026, March 24). Dragos 2026 OT Cybersecurity Report: Year in Review, O&G and Petrochemicals Focus. Retrieved April 17, 2026.
  1. John Wolfram, Josh Murchie, Matt Lin, Daniel Ainsworth, Robert Wallace, Dimiter Andonov, Dhanesh Kizhakkinan, Jacob Thompson. (2025, January 8). Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation. Retrieved April 14, 2026.