S1121 LITTLELAMB.WOOLTEA
LITTLELAMB.WOOLTEA is a backdoor that was used by UNC5325 during Cutting Edge to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.1
| Item | Value |
|---|---|
| ID | S1121 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 13 March 2024 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1554 | Compromise Host Software Binary | LITTLELAMB.WOOLTEA can append malicious components to the tmp/tmpmnt/bin/samba_upgrade.tar archive inside the factory reset partition in attempt to persist post reset.1 |
| enterprise | T1543 | Create or Modify System Process | LITTLELAMB.WOOLTEA can initialize itself as a daemon to run persistently in the background.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | LITTLELAMB.WOOLTEA can communicate over SSL using the private key from the Ivanti Connect Secure web server.1 |
| enterprise | T1083 | File and Directory Discovery | LITTLELAMB.WOOLTEA can monitor for system upgrade events by checking for the presence of /tmp/data/root/dev.1 |
| enterprise | T1095 | Non-Application Layer Protocol | LITTLELAMB.WOOLTEA can function as a stand-alone backdoor communicating over the /tmp/clientsDownload.sock socket.1 |
| enterprise | T1090 | Proxy | LITTLELAMB.WOOLTEA has the ability to function as a SOCKS proxy.1 |
| enterprise | T1082 | System Information Discovery | LITTLELAMB.WOOLTEA can check the type of Ivanti VPN device it is running on by executing first_run() to identify the first four bytes of the motherboard serial number.1 |