DWAgent
DWAgent is a legitimate remote administration tool that threat actors deploy post-compromise to maintain persistent remote access to victim systems and to facilitate follow-on activity. Across the provided reporting, DWAgent is repeatedly described as being installed after initial access as a persistence mechanism and remote control utility, often alongside other dual-use tools such as AnyDesk, Earthworm, and SharpHound. Observed use cases include enabling persistent access, remote control of compromised endpoints, deployment of additional payloads, and support for Active Directory reconnaissance.
The tool appears in multiple intrusion sets and campaigns. Sophos reported Akira ransomware operators using DWAgent in at least one case after gaining access, typically in broader operations involving credential theft, lateral movement, data exfiltration, and in some cases ransomware deployment. Rapid7 reported a 2026 intrusion assessed with moderate confidence as a MuddyWater/Seedworm false-flag operation under Chaos ransomware branding, where attackers established persistence through DWAgent and AnyDesk after Microsoft Teams-based social engineering and credential harvesting; the DWAgent installation chain included dwagent.exe, pythonw.exe, dwagsvc.exe, and dwaglnc.exe. Cisco Talos and related reporting described China-linked UAT-8837 using DWAgent after exploiting vulnerable servers or using compromised credentials, including exploitation of Sitecore CVE-2025-53690, to maintain access, conduct reconnaissance, and support additional malware deployment. In Sitecore exploitation reporting, DWAgent was installed as a SYSTEM service for persistence and used alongside Earthworm tunneling and SharpHound AD mapping.
Infection vectors in the provided content are indirect: DWAgent is not described as the initial malware used for intrusion, but rather as a post-exploitation tool dropped after successful compromise. Documented precursor access methods include unauthorized VPN access, Microsoft Teams social engineering with credential theft and MFA manipulation, exploitation of public-facing applications such as Sitecore CVE-2025-53690, and use of compromised credentials.
High-confidence indicators and artifacts directly mentioned in the content include the executable and component names dwagent.exe, pythonw.exe, dwagsvc.exe, and dwaglnc.exe; installation as a persistent service, including as SYSTEM in one Sitecore-related case; and Sophos detection WIN-PER-PRC-DWAGENT-INSTALL-1. Targeting context associated with DWAgent usage in the provided reporting includes small and medium-sized businesses across multiple sectors in Akira incidents, and critical infrastructure organizations in North America in UAT-8837 activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
On September 3, 2025, a critical zero-day vulnerability (CVE-2025-53690) in the Sitecore Experience Platform sent shockwaves through the enterprise content management community. Exploited in-the-wild, this flaw allowed remote attackers to gain full control of vulnerable sites through ViewState deserialization attacks... Attackers were able to exploit this weakness, crafting malicious payloads that allowed them to execute arbitrary code on impacted servers.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
From there, the TA established persistence using remote access tools such as DWAgent and AnyDesk, before deploying additional payloads and further control of the environment.
DWAgent, to enable persistent remote access and Active Directory reconnaissance
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
2 techniques
Execution
Persistence
3 techniques
Persistence
The intrusion Rapid7 examined started through Microsoft Teams social engineering... and, in some cases, deployed AnyDesk for remote access.
Privilege Escalation
2 techniques
Privilege Escalation
Discovery
1 technique
Discovery
Lateral Movement
2 techniques
Lateral Movement
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Legitimate remote management tool abused by the threat actor for persistence and remote control after credential compromise.
Legitimate remote administration tool abused for remote control and persistence (installed as a SYSTEM service) during post-exploitation activity.
A remote administration tool used to maintain access and facilitate deployment of additional payloads post-compromise.
A remote access tool used to maintain persistent access and assist with Active Directory reconnaissance.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.