{"description": "Enterprise techniques used by SPAWNCHIMERA, ATT&CK software S9024 (v1.0)", "name": "SPAWNCHIMERA (S9024)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1037", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has modified the boot process files within `/tmp/coreboot_fs/bin/init` to establish persistence.(Citation: CISA SPAWNCHIMERA RESURGE February 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has searched the contents of two Python files scanner.py and scanner_legacy.py by searching for specific lines and replacing them with values that reduce their ability to track mismatches or new files.(Citation: CISA SPAWNCHIMERA RESURGE February 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has extracted the device\u2019s Linux kernel image (vmlinux).(Citation: CISA SPAWNCHIMERA RESURGE February 2026)(Citation: Google UNC5221 Ivanti April 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1678", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has used delayed execution to pause for a defined interval before performing environment discovery, repeatedly checking for specific processes, such as the `dslogserver` process, prior to continuing execution. (Citation: CISA SPAWNCHIMERA RESURGE February 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has decoded a XOR encoded private key.(Citation: JPCERT SPAWNCHIMERA Ivanti February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has modified the Ivanti Integrity Checker Tool to evade detection.(Citation: CISA SPAWNCHIMERA RESURGE February 2026)(Citation: Picus Security UNC5221 Ivanti May 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has fixed a buffer overflow vulnerability (CVE-2025-0282) by hooking the strncpy function and limiting the size to 256 to prevent other actors from leveraging the exploit.(Citation: JPCERT SPAWNCHIMERA Ivanti February 2025)  [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has converted its process name to hexadecimal and verifies an added value which is triggered when the first byte of the source copied to the fixed strncpy function matches `0x04050203`.(Citation: JPCERT SPAWNCHIMERA Ivanti February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) can persist across system upgrades by hijacking the execution flow of dspkginstall, a binary used during the system upgrade process.(Citation: Google UNC5221 Ivanti January 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.006", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has been compiled as a Position Independent Executable (PIE) to use a third-party library for injection.(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has deleted generated files and folders from victim devices.(Citation: CISA SPAWNCHIMERA RESURGE February 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has updated the timestamp using the `touch` command.(Citation: CISA SPAWNCHIMERA RESURGE February 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has leveraged IPC using a UNIX domain socket between the dsmdm process and the web process.(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: JPCERT SPAWNCHIMERA Ivanti February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1040", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has monitored and filtered network traffic on compromised edge devices, allowing legitimate traffic to pass while redirecting attacker-controlled traffic to infrastructure under adversary control. (Citation: Google UNC5221 Ivanti January 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has the ability to bind on a localhost and listen on port 8300.(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: JPCERT SPAWNCHIMERA Ivanti February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has encoded a private key with XOR.(Citation: JPCERT SPAWNCHIMERA Ivanti February 2025) [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has also encrypted data to be extracted using AES encryption.(Citation: Google UNC5221 Ivanti April 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1690", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has disabled logging and log forwarding on Ivanti devices targeting the `dslogserver` process.(Citation: CISA SPAWNCHIMERA RESURGE February 2026)(Citation: Google UNC5221 Ivanti April 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: Picus Security UNC5221 Ivanti May 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has searched for running processes to include web or dsmdm.(Citation: CISA SPAWNCHIMERA RESURGE February 2026)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.002", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has executed only in memory and hooked itself into existing processes on the victim device to include the web process.(Citation: CISA SPAWNCHIMERA RESURGE February 2026)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: JPCERT SPAWNCHIMERA Ivanti February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1572", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has created SSH tunnels to facilitate C2 communications.(Citation: CISA SPAWNCHIMERA RESURGE February 2026)(Citation: Google UNC5221 Ivanti January 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has created web shells that facilitate actions on the victim host.(Citation: CISA SPAWNCHIMERA RESURGE February 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has checked where SELinux is enabled on the targeted host.(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has generated RSA keys against modified files to sign the manifest file, so they appear legitimate.(Citation: CISA SPAWNCHIMERA RESURGE February 2026)(Citation: Google UNC5221 Ivanti January 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has obtained system information such as release, uptime, and current time.(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SPAWNCHIMERA", "color": "#66b1ff"}]}