Home/ Threat Actors/ Velvet Ant

🌐Velvet Ant

🌐 Velvet Ant is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 22 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1047) ↗

14Use cases

0Articles

22Techniques

0IOCs

About this actor (MITRE)

[Velvet Ant](https://attack.mitre.org/groups/G1047) is a threat actor operating since at least 2021. [Velvet Ant](https://attack.mitre.org/groups/G1047) is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.(Citation: Sygnia VelvetAnt 2024A)(Citation: Sygnia VelvetAnt 2024B)

Known aliases

Velvet Ant

Top techniques

T1021.002 · SMB/Windows Admin Shares T1036.005 · Match Legitimate Resource Name or Location T1037.004 · RC Scripts

All other tracked techniques

T1040 · Network Sniffing T1047 · Windows Management Instrumentation T1049 · System Network Connections Discovery T1055 · Process Injection T1059.004 · Unix Shell T1071 · Application Layer Protocol T1078.003 · Local Accounts T1083 · File and Directory Discovery T1090.001 · Internal Proxy T1132 · Data Encoding T1133 · External Remote Services T1211 · Exploitation for Stealth T1569.002 · Service Execution T1570 · Lateral Tool Transfer T1571 · Non-Standard Port T1573.002 · Asymmetric Cryptography T1574.001 · DLL T1685 · Disable or Modify Tools T1686 · Disable or Modify System Firewall

Detection use cases (14)

Velvet Ant PlugX DLL search-order hijack: signed loader + sideloaded DLL + encrypted .DAT triplet on legacy servers AI · profile SΣ Velvet Ant internal C2 pivot from compromised F5 BIG-IP / network appliance to Windows estate (T1090.001 + T1133) AI · profile S Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Network connections to article IPs / domains MITRE match Remote service execution — PsExec / SMB lateral movement MITRE match