S1206 JumbledPath
JumbledPath is a custom-built utility written in GO that has been used by Salt Typhoon since at least 2024 for packet capture on remote Cisco devices. JumbledPath is compiled as an ELF binary using x86-64 architecture which makes it potentially useable across Linux operating systems and network devices from multiple vendors.1
| Item | Value |
|---|---|
| ID | S1206 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 25 February 2025 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | JumbledPath can compress and encrypt exfiltrated packet captures from targeted devices.1 |
| enterprise | T1665 | Hide Infrastructure | JumbledPath can use a chain of jump hosts to communicate with compromised devices to obscure actor infrastructure.1 |
| enterprise | T1562 | Impair Defenses | JumbledPath can impair logging on all devices used along its connection path to compromised hosts.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.002 | Clear Linux or Mac System Logs | JumbledPath can clear logs on all devices used along its connection path to compromised network infrastructure.1 |
| enterprise | T1104 | Multi-Stage Channels | JumbledPath can communicate over a unique series of connections to send and retrieve data from exploited devices.1 |
| enterprise | T1040 | Network Sniffing | JumbledPath has the ability to perform packet capture on remote devices via actor-defined jump-hosts.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1045 | Salt Typhoon | 1 |