Nothing Like AugurHow It WorksGet AccessLearn More

China-Linked Campaigns Target F5 and Edge Infrastructure (2023–2025)

Threat Research Team
Download PDF

Introduction

Between 2023 and 2025, multiple China-linked threat actors systematically targeted F5 BIG-IP and other edge infrastructure appliances, combining long-term espionage with opportunistic exploitation of publicly disclosed vulnerabilities. These operations involved source code theft, credential compromise, and deployment of sophisticated malware to maintain persistent access across enterprise and government networks. This brief analyzes the chronology of these campaigns, highlights tradecraft consistent with Chinese state-sponsored activity, and provides actionable recommendations for mitigation and detection.

1. Early Access Operations: UNC5174 Exploits BIG-IP Vulnerabilities (2023–2024)

In late 2023 and throughout 2024, a China-nexus threat actor tracked as UNC5174 exploited the critical F5 BIG-IP TMUI vulnerability (CVE-2023-46747) to gain remote code execution on exposed systems. Operating primarily as an initial access broker, the group sold compromised environments to other espionage and financially motivated actors. Their exploitation patterns revealed a preference for targeting internet-facing management interfaces and using compromised F5 appliances as footholds for deeper network infiltration.

Indicators of Compromise (CVE-2023-46747):

IP CIDR AUGURED FIRST SEEN LAST SEEN
45.92.70.68 45.92.70.0/24 Oct 2023 20-Sep-24 22-Jan-25
45.92.70.113 45.92.70.0/24 Oct 2023 20-Sep-24 22-Jan-25
45.92.70.71 45.92.70.0/24 Oct 2023 20-Sep-24 22-Jan-25
45.92.70.115 45.92.70.0/24 Oct 2023 20-Sep-24 22-Jan-25

2. Long-Term Espionage: Velvet Ant’s Multi-Year Persistence (2021–2024)

From 2021 to 2024, the China-linked Velvet Ant group maintained undetected access for nearly three years by exploiting legacy F5 BIG-IP appliances within a trusted enterprise network. Using malware families such as PlugX and ShadowPad, and custom implants such as VELVETTAP and VELVETSTING, the operators exfiltrated sensitive data and proxied internal traffic.

Their tradecraft demonstrated a high degree of technical sophistication and emphasized the risk of leaving end-of-life network appliances in production. The attackers relied on DLL side-loading and C2 infrastructure traced to multiple IPs located in Asia.

3. Widespread Edge Exploitation: Chinese APTs Target VPNs and Firewalls (2024–2025)

By early 2024, multiple Chinese state-sponsored groups expanded operations to include Citrix ADC, Fortinet FortiGate, and Ivanti Connect Secure appliances. Vulnerabilities like CVE-2020-5902 and CVE-2024-21793 remained active exploitation targets due to delayed patching cycles.

Reports from Google TAG, Mandiant, and CISA identified UNC5221, another China-nexus espionage group, as exploiting CVE-2025-22457 in Ivanti Connect Secure versions 22.7R2.5 and earlier. This campaign deployed the TRAILBLAZE, BRUSHFIRE, and SPAWN malware families, leveraging compromised QNAP, ASUS, and Cyberoam routers for stealthy command-and-control.

Exploitation was observed within weeks of vendor patch releases, indicating deep operational knowledge and possible access to insider or leaked vulnerability data.

4. Strategic Compromise: F5 Networks Breach and Source Code Theft (2025)

In October 2025, F5 Networks disclosed that a nation-state actor, assessed to be China-linked, breached its internal engineering and development networks. The attackers stole BIG-IP source code, internal vulnerability-tracking data, and operational documentation used for patch planning.

The breach persisted for nearly a year before detection in August 2025, and analysts quickly connected it to the same infrastructure and tooling used in Ivanti exploitation campaigns. The BRICKSTORM malware and UNC5221 were both implicated.

Following the disclosure, CISA issued Emergency Directive ED 26-01, requiring federal agencies to identify F5 BIG-IP deployments, assess exposure of management interfaces, and patch or isolate affected systems by October 22, 2025. Experts warned that the stolen vulnerability data could accelerate the weaponization of zero-day exploits, increasing the risk for all F5 customers.

5. Broader Campaign Assessment

The timeline from 2023 through 2025 demonstrates a coordinated Chinese espionage strategy targeting edge network infrastructure and software supply chains. The tradecraft observed over a multi-year period, including the exploitation of high-value appliances, the deployment of custom malware, and the theft of engineering data, is consistent with Chinese state-linked actors.

Velvet Ant, UNC5174, and UNC5221 exhibit complementary operational layers: initial access, long-term espionage, and vendor compromise. These campaigns focus on network edge devices (F5 BIG-IP, Ivanti Connect Secure, Citrix ADC, Fortinet FortiGate) that handle traffic routing, authentication, and encryption, providing ideal vantage points for covert surveillance.

The pattern underscores a strategic objective approach of persistent, global access to enterprise and government perimeters, enabling intelligence collection, pre-positioning for future operations, and rapid weaponization of vulnerabilities using stolen source code and internal data.

6. Recommendations

  1. Immediate Hardening and Patching
    • Apply all F5 and Ivanti advisories, especially CVE-2024-21793, CVE-2024-26026, and CVE-2025-22457.
    • Restrict all F5 BIG-IP management interfaces from public exposure; enforce VPN and MFA access.

  2. Network Segmentation and Isolation
    • Adopt preemptive cybersecurity tools such as Augur to bolster traditional Detection and Response ahead of first attacks and reduce alert noise in the SOC
    • Isolate legacy or end-of-life appliances from production environments.
    • Implement strict monitoring of east-west traffic in edge device subnets.

  3. Threat Hunting and IOC Sweeps
    • Search for known Velvet Ant and UNC5174 IPs and malware families (PlugX, ShadowPad, BRUSHFIRE, TRAILBLAZE).
    • Analyze logs for anomalous management-plane access or unusual SSL/TLS beaconing.

  4. Supply Chain and Insider Risk Review
    • Conduct vendor risk assessments to verify patching timelines and exposure of F5/Ivanti devices.
    • Monitor for exploits derived from stolen F5 source code across threat intelligence feeds.

  5. Long-Term Mitigation Strategy
    • Replace unsupported appliances; adopt zero-trust edge architectures and runtime integrity monitoring.
    • Establish internal processes to rapidly detect and remediate vulnerabilities post-disclosure.

Summary of all CVEs, affected devices, threat actors:

CVE / Vulnerability Device / Vendor Actor(s) Exploit Type / Tradecraft Notes / References
CVE-2020-5902 F5 BIG-IP Chinese APTs Remote code execution via TMUI; edge device compromise Popular legacy vulnerability; exploited due to delayed patching
CVE-2023-46747 F5 BIG-IP UNC5174 Remote code execution; initial access broker Sold access to other actors; targeted exposed management interfaces
CVE-2024-21793 F5 BIG-IP Multiple (UNC3524, Volt Typhoon, ransomware affiliates) Exploit chaining; rapid PoC weaponization Targeted widespread enterprise edge networks; fed into multi-tier exploitation
CVE-2024-26026  F5 BIG-IP  Multiple  Remote exploitation; part of scanning & reconnaissance surge  Exposed internet-facing management planes; used in opportunistic campaigns 
CVE-2023-46805  Ivanti Connect Secure  UNC5221  VPN appliance exploitation; stealth intrusion   Precursor to 2025 Ivanti campaigns; part of systematic edge targeting
CVE-2024-21887   Ivanti Connect Secure  UNC5221 VPN exploitation; stealth backdoors  Early exploitation of VPN vulnerabilities; used TRAILBLAZE / SPAWN malware 
CVE-2025-0282   Ivanti Connect Secure UNC5221   VPN exploitation; in-memory implants Rapidly weaponized post-disclosure; shows advanced knowledge of patching cycles 
CVE-2025-22457 Ivanti Connect Secure 22.7R2.5 and earlier UNC5221 Buffer overflow; custom malware implants Deployed TRAILBLAZE (dropper), BRUSHFIRE (backdoor), SPAWN malware; obfuscated via compromised routers

Sources

  1. China-linked Group Exploited Legacy F5 BIG-IP Appliances for 3 Years
    https://www.scworld.com/news/china-linked-group-exploited-legacy-f5-bigip-appliances-for-3-years
  2. UNC5174 Targets F5 BIG-IP Vulnerability to Sell Access to Chinese Cybercriminal Groups
    https://thehackernews.com/2024/03/unc5174-targets-f5-big-ip-vulnerability.html
  3. Chinese Hackers Exploit New F5 BIG-IP Zero-Day (CVE-2024-21793)
    https://www.bleepingcomputer.com/news/security/chinese-hackers-exploit-new-f5-big-ip-zero-day-cve-2024-21793/
  4. UNC5221 Exploiting Ivanti Zero-Days in Global Campaigns
    https://www.mandiant.com/resources/blog/unc5221-exploiting-ivanti-zero-days
  5. Ivanti Warns of Multiple Active Exploits Targeting VPN Appliances
    https://www.securityweek.com/ivanti-warns-of-multiple-active-exploits-targeting-vpn-appliances/
  6. Velvet Ant’s Persistence Tactics on Legacy F5 Devices
    https://www.crowdstrike.com/blog/velvet-ant-china-linked-threat-group-exploiting-legacy-f5-devices/
  7. F5 Patches Critical BIG-IP Vulnerabilities Under Active Exploitation
    https://www.darkreading.com/endpoint/f5-patches-critical-big-ip-vulnerabilities-under-active-exploitation
  8. China’s Cyber Strategy: Edge Infrastructure as Long-Term Access Points https://www.recordedfuture.com/research/chinas-cyber-strategy-edge-infrastructure

The Augur Difference. Let Us Prove It To You.

Experience firsthand the benefits of preemptive cyber defense with a quick proof of value (POV). We can have you up and running in less than a day, and after 30 days, get an Augur report detailing:

  • Threats Augur identified
  • Advance warning timelines
  • Data-driven insight on alert reduction and improved SOC efficiency

Click here to talk to an Augur specialist now

Augur Security
4660 La Jolla Village Dr. # 100 San Diego, CA 92122 USA
(888) 521-5857
Terms & ConditionsPrivacy Policy
© COPYRIGHT 2025 AUGUR SECURITY