Skip to content

G1047 Velvet Ant

Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.21

Item Value
ID G1047
Associated Names
Version 1.0
Created 14 March 2025
Last Modified 04 April 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol Velvet Ant has used reverse SSH tunnels to communicate to victim devices.2
enterprise T1037 Boot or Logon Initialization Scripts -
enterprise T1037.004 RC Scripts Velvet Ant used a modified /etc/rc.local file on compromised F5 BIG-IP devices to maintain persistence.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell Velvet Ant used a custom tool, VELVETSTING, to parse encoded inbound commands to compromised F5 BIG-IP devices and then execute them via the Unix shell.2
enterprise T1132 Data Encoding Velvet Ant sent commands to compromised F5 BIG-IP devices in an encoded format requiring a passkey before interpretation and execution.2
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Velvet Ant has used a reverse SSH shell to securely communicate with victim devices.2
enterprise T1211 Exploitation for Defense Evasion Velvet Ant exploited CVE-2024-20399 in Cisco Switches to which the threat actor was already able to authenticate in order to escape the NX-OS command line interface and gain access to the underlying operating system for arbitrary command execution.1
enterprise T1133 External Remote Services Velvet Ant has leveraged access to internet-facing remote services to compromise and retain access to victim environments.2
enterprise T1083 File and Directory Discovery Velvet Ant has enumerated local files and folders on victim devices.2
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Velvet Ant has used malicious DLLs executed via legitimate EXE files through DLL search order hijacking to launch follow-on payloads such as PlugX.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Velvet Ant attempted to disable local security tools and endpoint detection and response (EDR) software during operations.2
enterprise T1562.004 Disable or Modify System Firewall Velvet Ant modified system firewall settings during PlugX installation using netsh.exe to open a listening, random high number port on victim devices.2
enterprise T1570 Lateral Tool Transfer Velvet Ant transferred files laterally within victim networks through the Impacket toolkit.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Resource Name or Location Velvet Ant used a malicious DLL, iviewers.dll, that mimics the legitimate “OLE/COM Object Viewer” within Windows.2
enterprise T1040 Network Sniffing Velvet Ant has used a custom tool, “VELVETTAP”, to perform packet capture from compromised F5 BIG-IP devices.2
enterprise T1571 Non-Standard Port Velvet Ant has used random high number ports for PlugX listeners on victim devices.2
enterprise T1055 Process Injection Velvet Ant initial execution included launching multiple svchost processes and injecting code into them.2
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy Velvet Ant has tunneled traffic from victims through an internal, compromised host to proxy communications to command and control nodes.2
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Velvet Ant has transferred tools within victim environments using SMB.2
enterprise T1049 System Network Connections Discovery Velvet Ant has enumerated existing network connections on victim devices.2
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Velvet Ant executed and installed PlugX as a Windows service.2
enterprise T1078 Valid Accounts -
enterprise T1078.003 Local Accounts Velvet Ant accessed vulnerable Cisco switch devices using accounts with administrator privileges.1
enterprise T1047 Windows Management Instrumentation Velvet Ant used the wmiexec.py tool within Impacket for remote process execution via WMI.2

Software

ID Name References Techniques
S0357 Impacket Velvet Ant used Impacket for lateral tool transfer and remote process execution.2 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Lateral Tool Transfer Network Sniffing NTDS:OS Credential Dumping LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Ccache Files:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0013 PlugX Velvet Ant heavily relies on variants of PlugX for various phases of operations.2 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Local Data Staging:Data Staged Debugger Evasion Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Mutual Exclusion:Execution Guardrails Exfiltration Over C2 Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Hidden Window:Hide Artifacts DLL:Hijack Execution Flow Disable or Modify System Firewall:Impair Defenses Clear Persistence:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Local Storage Discovery Masquerade Task or Service:Masquerading Match Legitimate Resource Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Non-Standard Port Binary Padding:Obfuscated Files or Information Dynamic API Resolution:Obfuscated Files or Information Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Reflective Code Loading Replication Through Removable Media Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Location Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Time Discovery MSBuild:Trusted Developer Utilities Proxy Execution Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service

References

  1. Sygnia Team. (2024, July 1). China-Nexus Threat Group ‘Velvet Ant’ Exploits Cisco Zero-Day (CVE-2024-20399) to Compromise Nexus Switch Devices – Advisory for Mitigation and Response. Retrieved March 14, 2025. 

  2. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.