A sophisticated Chinese-affiliated cyber espionage collective designated as UNC5221 has successfully weaponized a previously underestimated security vulnerability within Ivanti’s Connect Secure and Policy Secure infrastructure products. The vulnerability, initially catalogued as CVE-2025-22457 and assessed with minimal risk parameters, has been transformed into a potent attack vector enabling unauthorized remote code execution capabilities and facilitating the deployment of two previously unidentified malware variants known as Trailblaze and Brushfire across compromised enterprise environments.
The adversarial campaign commenced immediately following Ivanti’s initial remediation efforts in February 2025, demonstrating the threat actor’s remarkable agility and sophisticated reverse-engineering capabilities. This incident underscores the increasingly prevalent targeting methodology employed by nation-state affiliated groups who systematically exploit edge security appliances to establish privileged access pathways into critical enterprise infrastructure.
In-Depth Vulnerability Assessment and Risk Reanalysis for Ivanti Security Systems
Ivanti Corporation first addressed the CVE-2025-22457 vulnerability as part of their February 2025 security update cycle, where the issue was classified with a relatively low severity rating based on preliminary technical analyses. The vulnerability was identified as a buffer overflow issue, initially believed to be manageable and limited in scope. Security researchers initially assessed that the flaw only allowed for restricted character inputs, primarily consisting of periods and numerical values, which led them to conclude that its exploitation would be limited to minor denial-of-service (DoS) attacks.
However, as more detailed forensic investigations and threat intelligence efforts unfolded, the situation took a dramatic turn. By April 3, 2025, Ivanti’s security teams conducted a thorough reevaluation of the flaw after advanced exploitation tactics were discovered. These new findings were largely attributed to the notorious threat actor group, UNC5221, who had been seen employing highly sophisticated methodologies to exploit the vulnerability. This new information revealed that attackers could leverage the flaw not only to perform denial-of-service attacks, but to escalate their actions to full remote code execution (RCE) capabilities, which presented an even more significant risk to the security infrastructure.
The severity of the vulnerability was promptly reassessed, leading Ivanti to elevate its classification to “critical,” with an updated CVSS (Common Vulnerability Scoring System) score of 9.0 out of 10. This assessment was based on the increased exploitability of the flaw and its potential to lead to devastating security breaches. As a result, the company issued a subsequent urgent security update to address the critical nature of this vulnerability.
The products affected by this flaw span multiple generations of Ivanti’s security solutions, including Connect Secure version 22.7R2.5 and earlier releases, as well as Policy Secure in various deployment configurations. Additionally, Ivanti ZTA (Zero Trust Access) gateway solutions, as well as legacy Pulse Connect Secure installations (which had reached their end-of-life status as of December 31, 2024), were also vulnerable. This broad range of affected products further underscored the importance of swiftly addressing the vulnerability across a wide array of Ivanti’s security ecosystem.
Uncovering the True Exploitation Potential of CVE-2025-22457
Initially, the CVE-2025-22457 vulnerability was thought to be a low-risk issue that posed little threat to most users. The flaw’s classification as a low-severity vulnerability was largely due to its limited initial exploitation potential, which was believed to be restricted to denial-of-service scenarios that would not result in serious breaches. Denial-of-service attacks, while disruptive, were often viewed as less damaging in the context of more sophisticated cyberattacks.
However, the real threat became apparent only after further examination by security teams and researchers. The involvement of advanced threat actors, such as UNC5221, brought to light a much more dangerous set of circumstances. These cybercriminals demonstrated that the vulnerability could be leveraged to execute arbitrary code remotely, bypassing security measures entirely. This form of attack allows malicious actors to run arbitrary commands on a target system, potentially gaining full administrative control. Such an exploit could lead to severe ramifications, including unauthorized data access, system takeover, and data exfiltration.
The capabilities for remote code execution (RCE) resulting from this vulnerability meant that attackers could potentially manipulate systems to install malicious payloads, enabling persistent access to affected networks. Moreover, this form of attack could be used to pivot across the network, launching further attacks on other connected systems or compromising additional infrastructure. Thus, the original assessment of the flaw as low-severity failed to capture its true potential for exploitation, prompting a reassessment of both the threat level and the necessary security measures.
The Role of Advanced Persistent Threats in the Exploitation of Ivanti Products
One of the key revelations in the reevaluation of CVE-2025-22457 was the involvement of advanced persistent threats (APTs), particularly UNC5221, a known cybercriminal group. APTs are characterized by their strategic, long-term approach to cyberattacks, often targeting specific organizations or sectors for espionage, data theft, or other malicious activities. These groups are typically highly skilled and well-resourced, employing advanced techniques that make detection and mitigation efforts significantly more challenging.
UNC5221’s ability to exploit the Ivanti vulnerability using sophisticated manipulation methods highlighted the evolving nature of cyber threats. Unlike traditional cybercriminals who may rely on simpler attack vectors, APT groups like UNC5221 are adept at identifying and exploiting even the most obscure vulnerabilities. Their exploitation of CVE-2025-22457 served as a stark reminder that even seemingly low-risk vulnerabilities could be transformed into serious security threats when combined with the resources and capabilities of advanced threat actors.
The discovery of these advanced exploitation techniques underscored the need for constant vigilance and adaptive security strategies. As attackers continue to refine their tactics, organizations must continuously monitor and assess their security postures to ensure they are adequately protected against the evolving threat landscape.
The Immediate Impact on Ivanti’s Product Portfolio
Ivanti’s product portfolio includes a range of security solutions designed to protect enterprise environments, from remote access tools like Connect Secure and Pulse Connect Secure to more advanced solutions like Policy Secure and Ivanti ZTA. The vulnerability in question affected all versions of Connect Secure prior to 22.7R2.5, as well as various deployment configurations of Policy Secure. Additionally, the vulnerability impacted Ivanti’s Zero Trust Access (ZTA) solutions, which are integral to modern cybersecurity strategies aimed at minimizing the risk of unauthorized access.
As the flaw’s severity was reevaluated, the immediate consequences of its exploitation became clear. Any organization using affected Ivanti products faced a significant risk of a successful attack, potentially leading to the compromise of sensitive data, the disruption of critical services, or even the loss of control over entire systems. The widespread use of Ivanti’s security solutions, combined with the high likelihood of sophisticated attacks leveraging this vulnerability, made it imperative for affected organizations to update their systems without delay.
The vulnerability’s impact was also compounded by the fact that Pulse Connect Secure 9.x versions had already reached their end-of-life status as of December 31, 2024. This meant that users of these legacy products no longer had access to regular security updates, leaving them particularly vulnerable to attack. Organizations that had not yet migrated to more recent versions of Ivanti’s products were at an increased risk of exploitation, and in many cases, may have been unaware of the critical nature of the vulnerability.
The Response to the Threat: Immediate Patches and Long-Term Security Strategies
In response to the updated risk assessment, Ivanti moved quickly to release a security patch that addressed the vulnerability. This patch was critical in preventing attackers from exploiting CVE-2025-22457 for remote code execution and other malicious activities. Ivanti also emphasized the need for organizations to apply the update as soon as possible, given the increased likelihood of sophisticated cyberattacks targeting the flaw.
Beyond the immediate patch, Ivanti’s response to the incident also included enhanced threat intelligence sharing with the broader cybersecurity community. This information allowed other organizations to strengthen their defenses and better understand the potential exploitability of similar vulnerabilities in their own systems. Ivanti also conducted a comprehensive review of its security processes and began implementing more rigorous testing protocols to identify and address vulnerabilities more proactively in the future.
Organizations that rely on Ivanti’s products were advised to update their systems to the latest available versions and ensure that their security measures were in line with industry best practices. This includes the use of multi-factor authentication (MFA), network segmentation, regular vulnerability assessments, and enhanced monitoring of unusual activity. Additionally, organizations were encouraged to begin migrating away from end-of-life products like Pulse Connect Secure 9.x, as continuing to use unsupported systems could expose them to significant risks.
Preparing for Future Vulnerabilities: A Holistic Security Approach
The CVE-2025-22457 incident underscores the need for a more comprehensive and proactive approach to cybersecurity. The discovery of the vulnerability, followed by its rapid escalation from a low-severity issue to a critical security flaw, highlights the challenges organizations face in managing vulnerabilities in an ever-evolving threat landscape. It is no longer sufficient to simply patch known vulnerabilities; organizations must also be prepared to respond to emerging threats and exploit techniques that may not yet be well understood.
A holistic approach to cybersecurity involves more than just technical measures; it also requires a strong organizational culture of security awareness. Regular employee training, robust incident response plans, and ongoing threat intelligence monitoring are all essential components of a well-rounded cybersecurity strategy. Moreover, organizations should consider adopting a “zero trust” security model, which assumes that no user or device, whether inside or outside the network, can be trusted without continuous validation.
Looking forward, it is critical for organizations to partner with cybersecurity experts, leverage the latest threat intelligence, and continually assess their security posture to stay one step ahead of attackers. The CVE-2025-22457 vulnerability serves as a reminder of the ever-present risks that cybersecurity professionals must contend with and the importance of maintaining a proactive, dynamic defense strategy.
Attribution of the Exploitation Campaign to UNC5221
The cyber exploitation campaign targeting Ivanti products, specifically the CVE-2025-22457 vulnerability, has been conclusively attributed to the threat group known as UNC5221. This group is widely recognized as a persistent and highly sophisticated actor engaged in cyber espionage operations, with longstanding ties to state-sponsored intelligence initiatives, particularly those associated with the Chinese government. Over the years, UNC5221 has demonstrated remarkable technical expertise and strategic patience, making it one of the most formidable adversaries in the realm of cyber threats.
UNC5221 is primarily focused on targeting critical infrastructure components and enterprise-level security systems, typically leveraging zero-day vulnerabilities for their operations. Zero-day vulnerabilities are security flaws that are unknown to the vendor or public, making them highly valuable for exploitation by cybercriminal groups and state-sponsored actors. The group’s reliance on these vulnerabilities indicates a high level of sophistication and intent to maintain a covert and long-term presence within targeted environments.
Their exploitation campaign against Ivanti began shortly after the February 2025 security patch release, marking the group’s ability to swiftly identify and exploit newly discovered vulnerabilities. This operational speed highlights the advanced capabilities of UNC5221 in rapidly analyzing and reverse-engineering software, enabling them to manipulate specific code segments and transform a relatively minor flaw, such as the buffer overflow condition in CVE-2025-22457, into a highly effective remote code execution (RCE) vector.
UNC5221’s Operational Tactics and Reverse Engineering Capabilities
One of the most alarming aspects of the UNC5221 exploitation campaign is the group’s sophisticated methodology for exploiting vulnerabilities. According to joint analysis conducted by Ivanti’s internal security team and Mandiant’s threat intelligence division, UNC5221 operatives wasted little time in launching their attack. They initiated their exploitation activities within a matter of days after Ivanti released the security patch for CVE-2025-22457. This rapid timeline is indicative of the group’s highly specialized skill set and its focused, methodical approach to exploiting vulnerabilities.
The group’s operational tactics involved conducting a comprehensive differential analysis between the vulnerable and patched versions of the software. This process allowed them to pinpoint specific code sections that had been modified in the patch and identify which parts of the code could still be manipulated to turn the buffer overflow condition into a more reliable and dangerous remote code execution mechanism. Such precision suggests a level of expertise in reverse engineering that few threat groups possess.
Reverse engineering is a technique used by threat actors to dissect and analyze software to understand its inner workings, often with the goal of discovering security flaws that can be exploited. For UNC5221, this approach has become a cornerstone of their exploitation methodology. By carefully analyzing security updates and patches, they can identify subtle changes in the code that are not immediately apparent, giving them a critical advantage in their attempts to breach the target system.
This level of proficiency in reverse engineering indicates that UNC5221 has access to highly skilled personnel with specialized knowledge in software vulnerabilities, exploit development, and security patch analysis. Moreover, the group’s ability to analyze and reverse-engineer patched software in such a short time frame points to a significant investment in dedicated resources aimed at continuously refining their exploitation capabilities.
Analysis of UNC5221’s Targeting Strategies and Long-Term Objectives
The primary objective of UNC5221’s exploitation campaign is likely to gain persistent access to critical infrastructure systems and enterprise security solutions. By exploiting zero-day vulnerabilities like CVE-2025-22457, the group aims to infiltrate highly secured networks, steal sensitive information, and potentially disrupt critical services. UNC5221 is known for its focus on long-term strategic espionage, preferring to maintain a quiet, enduring presence in compromised systems rather than engaging in short-term disruptive activities.
This strategy is consistent with the broader goals of many state-sponsored threat groups, which seek to collect intelligence over long periods, often with the intention of using that data for future political, economic, or military advantage. In the case of UNC5221, the exploitation of Ivanti products may be just one facet of a much broader campaign aimed at gaining access to vital information housed within enterprise security systems.
While immediate damage from their attacks may be limited, the long-term consequences of a successful UNC5221 intrusion can be far-reaching. The group’s ability to gain and maintain remote code execution access gives them unparalleled control over compromised networks, enabling them to exfiltrate large volumes of data, deploy further exploits, or potentially manipulate critical infrastructure systems in ways that could go unnoticed for months or even years.
This kind of operational patience is what sets UNC5221 apart from many other cybercriminal groups. Rather than seeking to exploit vulnerabilities for quick gains, the group appears to be more focused on ensuring that its presence remains undetected while strategically collecting information for future use.
The Role of Zero-Day Vulnerabilities in UNC5221’s Strategy
Zero-day vulnerabilities are a prized commodity in the world of cyber espionage, and UNC5221 has shown a consistent pattern of exploiting these flaws as part of its operations. The use of zero-day vulnerabilities, such as the CVE-2025-22457 buffer overflow flaw, aligns with the group’s strategic objectives of gaining unauthorized access to secure systems without triggering immediate detection.
Zero-day vulnerabilities are particularly attractive to cybercriminal groups and state-sponsored threat actors because they offer an immediate and often undetectable way to infiltrate a target system. When a zero-day flaw is discovered, the vendor typically has no prior knowledge of the vulnerability, and users are unaware of the threat until a patch is made available. This gives attackers a window of opportunity to exploit the vulnerability without being detected by traditional security measures.
In the case of Ivanti’s security systems, UNC5221 took advantage of this window of opportunity by quickly analyzing the patch released by the company and reverse-engineering the software to identify any residual weaknesses. Their ability to act so quickly demonstrates the group’s high level of expertise and access to extensive resources that allow them to stay ahead of the curve when it comes to identifying new attack vectors.
This reliance on zero-day vulnerabilities also speaks to the broader nature of state-sponsored cyber espionage, where intelligence agencies often dedicate substantial resources to discovering and exploiting security flaws in enterprise-level systems. By continuously seeking out and exploiting zero-day vulnerabilities, groups like UNC5221 can maintain an ongoing presence in targeted environments, often without raising any immediate suspicion.
The Impact of UNC5221’s Exploitation on Enterprise Security
The campaign led by UNC5221 has profound implications for the cybersecurity landscape, particularly for organizations that rely on Ivanti products and similar enterprise security systems. The group’s ability to swiftly exploit CVE-2025-22457 and transform it into a remote code execution vulnerability demonstrates just how vulnerable even the most robust security infrastructures can be when facing advanced, state-sponsored threat actors.
For enterprises using Ivanti’s security solutions, the implications of this attack are far-reaching. If successful, the exploitation of CVE-2025-22457 could result in unauthorized access to sensitive data, disruption of business operations, and severe financial and reputational damage. Even organizations that have applied security patches could find themselves at risk if they fail to fully mitigate the vulnerabilities associated with the threat.
Moreover, the involvement of a group like UNC5221 further highlights the evolving nature of cyber threats. Unlike financially motivated cybercriminals, who may be interested in immediate financial gain, state-sponsored actors like UNC5221 are often more focused on strategic, long-term objectives. This means that even after the immediate exploit is addressed, organizations must remain vigilant for the possibility of follow-up attacks or additional exploits that could be launched at a later time.
Given the sophisticated nature of UNC5221’s operations, it is critical for organizations to adopt a more proactive approach to security. This includes not only regularly patching vulnerabilities but also conducting thorough security assessments, improving incident detection capabilities, and continuously monitoring for unusual activity within their networks.
Enhancing Cyber Defenses Against Sophisticated Threats
The UNC5221 exploitation campaign serves as a stark reminder of the importance of strengthening defenses against advanced, state-sponsored cyber threats. Traditional cybersecurity measures may no longer be sufficient in the face of well-funded and highly skilled adversaries. As seen with the CVE-2025-22457 vulnerability, even seemingly minor vulnerabilities can be exploited by sophisticated groups with the resources and technical expertise to reverse-engineer and manipulate software for their own purposes.
Organizations should prioritize the implementation of advanced security protocols, such as multi-factor authentication (MFA), network segmentation, and behavior-based threat detection. Additionally, regular vulnerability assessments and penetration testing can help identify weaknesses in systems before they are discovered and exploited by threat actors like UNC5221. A zero-trust security model, where no entity—whether inside or outside the network—is trusted by default, can also help minimize the risk of successful exploitation.
Collaboration between threat intelligence organizations, like Ivanti and Mandiant, is also essential in staying ahead of emerging threats. By sharing intelligence and coordinating responses, cybersecurity teams can better prepare for and defend against sophisticated attacks. This collaboration not only strengthens individual organizations but also contributes to the broader cybersecurity ecosystem.
Advanced Malware Arsenal and Deployment Mechanisms
Mandiant’s forensic investigation teams have identified two previously unknown malware families deployed by UNC5221 during their exploitation campaigns. These sophisticated tools demonstrate advanced evasion techniques and persistent access methodologies designed to maintain long-term presence within compromised environments.
Trailblaze represents a highly sophisticated in-memory dropper component engineered to operate entirely within system memory without creating persistent filesystem artifacts. This malware variant employs advanced anti-forensic techniques to avoid detection by traditional endpoint security solutions while facilitating the deployment of secondary payload components. The dropper utilizes sophisticated process injection methodologies and memory manipulation techniques to establish covert execution contexts within legitimate system processes.
Brushfire functions as a passive backdoor mechanism designed to provide UNC5221 operatives with persistent, covert access to compromised systems. This malware variant implements sophisticated command and control communication protocols that mimic legitimate network traffic patterns to evade network-based detection mechanisms. The backdoor incorporates advanced encryption schemes and traffic obfuscation techniques to maintain operational security during extended compromise periods.
In addition to these newly discovered malware families, UNC5221 has deployed several previously identified tools from their established arsenal, including Spawnsloth, a specialized log manipulation utility designed to eliminate forensic evidence of unauthorized activities, Spawnsnare, an advanced encryption utility employed for secure data exfiltration operations, and Spawnant, a sophisticated malware installation framework that facilitates the deployment of additional payload components across compromised infrastructure.
Comprehensive Remediation Strategy and Implementation Guidelines
Ivanti has issued urgent remediation guidance requiring immediate implementation across all affected infrastructure deployments. Organizations utilizing vulnerable Ivanti products must prioritize upgrading to Connect Secure version 22.7R2.6, which was released in February 2025 and includes comprehensive protections against CVE-2025-22457 exploitation attempts.
Critical remediation procedures mandate complete factory reset operations for all potentially compromised appliances, followed by comprehensive reconfiguration using the updated software version. This approach ensures complete elimination of any persistent malware components that may have been installed during compromise periods. Organizations must also prioritize migration away from legacy Pulse Connect Secure 9.x deployments, which no longer receive security updates and remain vulnerable to exploitation.
Additional security updates for Policy Secure implementations were scheduled for release on April 21, 2025, while ZTA Gateway patches became available on April 19, 2025. Organizations must implement these updates immediately upon availability to ensure comprehensive protection against ongoing exploitation attempts.
Strategic Analysis of Edge Device Targeting Methodologies
The UNC5221 campaign exemplifies the increasingly sophisticated targeting of edge security infrastructure by advanced persistent threat groups. VPN concentrators, firewall appliances, and network security gateways represent high-value targets for threat actors due to their privileged position within enterprise network architectures and their extensive access to internal systems and data flows.
Successful compromise of edge security devices enables threat actors to circumvent traditional perimeter defense mechanisms and establish persistent presence within target environments. These compromised systems often provide attackers with capabilities including bypassing multi-factor authentication requirements, establishing covert communication channels that appear as legitimate administrative traffic, deploying persistent backdoor mechanisms that survive system reboots and security tool deployments, facilitating lateral movement across internal network segments, and launching comprehensive data exfiltration operations targeting sensitive enterprise information.
Historical Context and Pattern Analysis
UNC5221’s targeting of Ivanti infrastructure represents part of a broader campaign spanning multiple years and involving the exploitation of numerous zero-day vulnerabilities within Ivanti’s product portfolio. Previous exploitation activities include the weaponization of CVE-2025-0282 and CVE-2025-0283 vulnerabilities affecting Connect Secure VPN implementations, which were publicly disclosed in January 2025, and the earlier exploitation of CVE-2023-46805 and CVE-2024-21887 vulnerabilities during previous campaign phases.
The United States Cybersecurity and Infrastructure Security Agency has issued specific warnings regarding UNC5221’s deployment of additional malware variants, including a sophisticated tool designated as Resurge, which demonstrates the group’s extensive malware development capabilities and strategic focus on maintaining persistent access to compromised infrastructure.
Comprehensive Detection and Response Recommendations
Organizations must implement comprehensive detection and response capabilities specifically designed to identify potential compromise indicators associated with UNC5221’s exploitation methodologies. Network monitoring systems should be configured to detect unusual administrative access patterns, unexpected process execution within security appliance environments, anomalous network traffic patterns that may indicate command and control communication, and unauthorized configuration modifications to critical security infrastructure.
Incident response procedures should incorporate specific protocols for handling edge device compromises, including immediate isolation of suspected compromised systems, comprehensive forensic imaging of affected appliances, detailed analysis of system logs and configuration changes, and coordinated threat hunting activities across internal network segments to identify potential lateral movement indicators.
Industry-Wide Implications and Strategic Considerations
The CVE-2025-22457 exploitation campaign highlights several critical challenges facing enterprise cybersecurity programs in contemporary threat environments. The rapid transition from low-risk assessment to critical exploitation demonstrates the dynamic nature of vulnerability threat landscapes and the importance of maintaining continuous monitoring capabilities for all security infrastructure components.
Organizations must recognize that initial vulnerability assessments may not accurately reflect actual exploitation potential, particularly when sophisticated nation-state actors dedicate significant resources to developing novel exploitation techniques. This reality necessitates the implementation of defense-in-depth strategies that assume potential compromise of edge security devices and include multiple layers of detection and response capabilities throughout enterprise environments.
Advanced Threat Intelligence Integration
Effective defense against sophisticated threat groups like UNC5221 requires comprehensive integration of threat intelligence capabilities into organizational security programs. Security teams must maintain awareness of evolving threat actor tactics, techniques, and procedures while implementing proactive threat hunting activities designed to identify early indicators of advanced persistent threat activity.
Intelligence sharing initiatives with industry partners and government agencies provide critical insights into emerging threat patterns and enable more effective collective defense strategies. Organizations should participate in relevant threat intelligence sharing communities and implement automated threat intelligence feeds to enhance their situational awareness capabilities.
Long-term Security Architecture Considerations
The UNC5221 campaign underscores the importance of implementing comprehensive security architecture designs that assume potential compromise of edge security devices. Zero-trust architectural principles provide essential frameworks for limiting the impact of edge device compromises by implementing granular access controls, continuous authentication requirements, and comprehensive monitoring throughout enterprise environments.
Organizations should evaluate their current security architectures to identify potential single points of failure and implement additional security controls that can detect and contain advanced persistent threats even when perimeter defenses have been compromised. This approach includes implementing comprehensive network segmentation strategies, deploying advanced endpoint detection and response capabilities across all system types, and establishing robust incident response procedures specifically designed to handle sophisticated nation-state attacks.
Conclusion:
The exploitation of CVE-2025-22457 by UNC5221 serves as a critical reminder that cybersecurity threats continue to evolve in sophistication and impact. This incident demonstrates that even vulnerabilities initially assessed as low-risk can become devastating attack vectors when exploited by determined and sophisticated adversaries.
Organizations utilizing Ivanti products must implement immediate remediation activities while also conducting comprehensive security assessments to identify potential indicators of compromise. The incident highlights the critical importance of maintaining current patch levels across all security infrastructure components and implementing comprehensive monitoring capabilities designed to detect sophisticated attack methodologies.
Furthermore, this campaign underscores the strategic importance of implementing comprehensive threat intelligence programs and maintaining awareness of evolving nation-state threat actor capabilities. Organizations must recognize that advanced persistent threat groups will continue to target edge security infrastructure and must implement defensive strategies that account for potential compromise of these critical systems.
The cybersecurity community must continue to enhance collaborative defense initiatives and information sharing programs to effectively counter sophisticated nation-state threats. Only through coordinated efforts and comprehensive defensive strategies can organizations effectively protect their critical infrastructure against the evolving threat landscape represented by groups like UNC5221.