Customer Advisory: Suspected Chinese Threat Actors Exploit Ivanti Connect Secure Vulnerability CVE-2025-0282 as a Zero-Day, Deploying Malware and Exfiltrating Data

Source Material: Mandiant | Targeted Industries: All

The Bottom Line

• Threat actors exploited a zero-day vulnerability (CVE-2025-0282) in Ivanti Connect Secure appliances, enabling unauthenticated remote code execution, malware deployment, and credential harvesting.
• Multiple malware families, including SPAWN (e.g., SPAWNANT, SPAWNMOLE) and previously unobserved malware (PHASEJAM dropper and DRYHOOK credential harvester), were used to compromise appliances and evade detection.
• Mandiant attributes this activity to the China-nexus intrusion set UNC5337, which has been linked to the SPAWN malware family and other exploits targeting Ivanti appliances.
• Techniques included disabling SELinux, tampering with system logs, and blocking legitimate system upgrades while maintaining persistence through malware capabilities and web shell deployment.
• Threat actors performed internal reconnaissance, lateral movement, and exfiltrated sensitive data, including user credentials, configuration files, and authentication data, increasing the risks of further attacks.
• Ivanti advises using their Integrity Checker Tool (ICT) to detect suspicious activity and contact support if anomalies are found. Organizations should strengthen access controls, adopt a layered security approach, implement a zero-trust model, and harden systems and application whitelisting.

The Rundown

Threat actors exploited a zero-day vulnerability in Ivanti Connect Secure to deploy malware, harvest credentials, and exfiltrate sensitive data. If successfully exploited, the vulnerability, now tracked as CVE-2025-0282, allows unauthenticated remote code execution, potentially compromising downstream networks. This is a developing campaign that Mandiant and Ivanti are analyzing. As additional details are identified, Mandiant’s blog post will be updated.

The recent exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances as a zero-day is a significant security concern for organizations. It also represents the risks posed by cyber threats targeting critical infrastructure components like VPN appliances. This exploitation demonstrates that the vulnerability is a viable entry point for attackers, increasing the likelihood that other threat actors may exploit it to gain unauthorized access. The involvement of sophisticated threat actors deploying advanced and unobserved malware underscores the necessity for heightened vigilance and proactive security measures. Organizations must swiftly mitigate these risks to protect their networks, data, and operational integrity.

Mandiant observed exploitation targeting multiple Connect Secure appliances from various organizations. On at least one appliance, threat actors deployed malware from the SPAWN malware family, which includes the SPAWNANT installer, SPAWNMOLE tunneler, the SPAWNSNAIL SSH backdoor, and the SPAWNSLOTH log tampering utility. In addition to the SPAWN malware family, previously unobserved malware, the PHASEJAM dropper, and the DRYHOOK credential harvester have been found on compromised appliances.

Mandiant attributed the exploitation to the China-nexus intrusion set UNC5337, a cluster of activity assessed with moderate confidence to be part of UNC5221. However, multiple actors may be responsible for creating and deploying these various malware families. UNC5337 is the only cluster known to have deployed SPAWN on Ivanti Connect Secure appliances. They exploited Connect Secure in January 2024 when they exploited CVE-2024-21887. UNC5221 is a suspected China-nexus espionage-focused intrusion set that exploited CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN and Ivanti Policy Security appliances as early as December 2023.

If you have questions or feedback about this intelligence, you can submit them here.

Analysis

The exploitation of Ivanti Connect Secure appliances began with reconnaissance activities. The threat actors repeatedly sent HTTP requests to specific URLs (/dana-cached/hc/hc_launcher.<version number>.jar), likely used to determine software versions. Requests to URLs matching this pattern that originate from VPS providers or Tor networks, especially in sequential version order, may indicate pre-exploitation reconnaissance.

Then, the actors exploited the vulnerability. While exact details of how the threat actors exploited the vulnerability have not been disclosed, exploitation likely involved HTTP requests to the identified vulnerable appliances.

While several post-exploitation chains have been observed, they generally follow the same order. First, the threat actors disable SELinux, use iptables to block syslog forwarding and remount the drive as read-write. 

Then, the actors use a shell script to echo a Base-64-encoded script into /tmp/.t. Then, they write a Base64-encoded ELF binary into /tmp/svb. This binary executes /tmp/s, the PHASEJAM dropper. Then, the svb file is overwritten with 0s, and /tmp/.t is removed.

PHASEJAM inserts a web shell to the files getComponent.cgi and restAuth.cgi. It also blocks system upgrades and overwrites the remotedebug executable, renaming it to remotedebug.bak, so it can execute arbitrary commands when a new -c parameter is passed. SPAWNANT also writes a web shell to compcheckresult.cgi. 

The threat actors performed additional defense evasion activities, including:

• Clearing kernel messages using dmesg and the debug logs.
• Deleting state dumps (troubleshoot information packages) and any core dumps.
• Removing log application event log entries related to syslog failures, internal ICT failures, crash traces, and certificate handling errors.
• Removing executed commands from the SELinux audit log.

If an administrator attempts to upgrade Connect Secure, PHASEJAM can prevent the legitimate upgrade and display a fake upgrade process that shows each upgrade step along with various sequences of dots to mimic a running process. The SPAWN malware family also has the capability to persist across system upgrades. However, SPAWN does not block the upgrade process; instead, SPAWNANT migrates its components to the new upgrade partition. SPAWNANT also can recalculate the SHA256 hash for any maliciously modified files.

Analyst Note: The SPAWN malware family includes the SPAWNANT installer, named libupgrade.so in this attack, the SPAWNMOLE tunneler (libsocks5.so), the SPAWNSNAIL SSH backdoor (libsshd.so), and the SPAWNSLOTH log tampering utility (liblogblock.so)

After establishing an initial foothold, the threat actors deployed various tunnelers that facilitate communication between the compromised appliance and the threat actor’s command and control infrastructure. Regarding SPAWNMOLE, it monitors traffic and filters out malicious traffic, tunneling it to a host provided by an attacker in the buffer.

The threat actors used several tools to perform internal network reconnaissance, including the Ivanti Connect Secure built-in tools nmap and dig. They also used the LDAP service account, if configured, to perform LDAP queries and to move laterally within the network through SMB or RDP. 

Once the threat actors gained initial access, maintained access, mapped the network, and evaded defenses, they exfiltrated the Ivanti Connect Secure database cache by staging the archived data in a directory served by the public-facing web server. The database cache may contain data related to users and authentications, configurations and networks, clients and sessions, and internal resources and applications. 

This type of data provides a wealth of sensitive information that could be exploited to gain deeper access to the victim’s environment, gather intelligence, or facilitate further attacks. The threat actors also deployed DRYHOOK, a Python script that modifies the Ivanti Connect Secure component DSAuth.pm to harvest credentials. 

Actions & Recommendations

Deepwatch experts continuously monitor for threats to our customers and their environments. Based on our intelligence analysis of the source material, the Adversary Tactics and Intelligence team may develop and update detection signatures and add malicious observables to our indicator feeds. 

Ivanti recommends using their external and internal Integrity Checker Tool (“ICT”) and contacting Ivanti Support if suspicious activity is identified. Mandiant has provided screenshots showing the difference between a successful scan (uncompromised) and an unsuccessful scan (compromised).

We recommend the following actions to enhance cyber resilience:

• Regularly update and patch systems: Ensure all software and systems are regularly updated and patched to protect against known vulnerabilities and perform routine vulnerability assessments and penetration tests to identify and address potential security weaknesses.
• Robust access controls and monitoring:
  • Enforce strong authentication (preferably multi-factor authentication) for all remotely accessible services, at minimum, and restrict access based on IP whitelisting or VPN requirements.
  • Limit user access to only what is necessary for their role and implement just-in-time access for higher-level access, ensuring privileges are granted only when necessary and for a limited duration.
  • Review and audit account permissions regularly, disable inactive accounts, and enforce the principle of least privilege. Restrict the creation of new user accounts to select administrators and monitor logs for new account creation activity.
• Layered security controls: Deploy multiple layers of security, including firewalls, Endpoint Detection and Response (EDR), intrusion detection/prevention systems (IDS/IPS), antivirus, and behavioral monitoring.
• Zero-trust security model: Adopt a zero-trust security model that assumes all users, devices, and networks are untrusted by default. Implement micro-segmentation, robust authentication, and continuous verification to limit access and reduce the attack surface.
• System and service hardening: Harden system service configurations by disabling unnecessary services and configuring security settings to prevent unauthorized changes. Ensure all systems, applications, and devices are configured according to security best practices and audit these configurations regularly.
• Application and task whitelisting: Implement strict whitelisting to prevent unauthorized applications from executing. Regularly audit scheduled tasks and jobs for unauthorized entries and restrict modifications to administrators only.
• Endpoint and registry monitoring: Monitor and restrict changes to registry run keys and startup folders using endpoint security tools that can detect and block unauthorized modifications. Monitor WMI activity and restrict execution to trusted administrators via Group Policy.
• Disable and/or restrict the use of scripting engines. To enhance the security of your environment, it is crucial to restrict or disable scripting engines that are frequently abused by threat actors.
  • For PowerShell, ensure it is accessible only to specific administrative accounts to reduce the attack surface. Additionally, decouple .ps1 file associations with PowerShell unless essential for business purposes. If .ps1 scripts are required, configure PowerShell to execute them exclusively from a designated folder, ensuring all related scripts are stored in a controlled location.
  • For Windows Management Instrumentation (WMI), actively monitor and track the creation of event filters, consumers, and bindings that are rarely used by legitimate software and may indicate malicious activity. If Windows Script Host (WSH) is not needed, consider disabling it; otherwise, remove file associations with potentially dangerous extensions to reduce the risk of exploitation. Similarly, restrict or eliminate the use of Microsoft HTML Applications (MSHTA), which is another commonly exploited component.
  • To further harden your defenses, leverage Endpoint Detection and Response (EDR) capabilities to implement application block rules for PowerShell, WMIC, WSH, MSHTA, and AutoIt. These measures collectively reduce the risk of unauthorized scripting activity and strengthen your organization’s overall cybersecurity posture.
• Detection and monitoring of known threats: Ensure that detection rules and security solutions can monitor malicious behavior described and consider blocking known computed indicators associated with these attacks.

Technical Artifacts

We recommend that all organizations retrospectively hunt for malicious activity, which may indicate compromise, using the Be On the Lookout (BOLO) guidance provided below:

• Repeated web requests matching the following URI structures below (especially from Tor or VPS sources)
  • /dana-cached/hc/hc_launcher.22.7.2.2615.jar
  • /dana-cached/hc/hc_launcher.22.7.2.3191.jar
  • /dana-cached/hc/hc_launcher.22.7.2.3221.jar
  • /dana-cached/hc/hc_launcher.22.7.2.3431.jar
• Usage of or artifacts from the following commands used to modify the system firewall, disable selinux, and remount the root partition with write privileges:
  • setenforce 0
  • iptables -A OUTPUT -p udp –dport 514 -j DROP
  • iptables -A OUTPUT -p tcp –dport 514 -j DROP
  • iptables -A OUTPUT -p udp –dport 6514 -j DROP
  • iptables -A OUTPUT -p tcp –dport 6514 -j DROP
  • mount -o remount,rw /
• Usage of the following commands or their presence in rare script files (especially in /tmp/)
  • export LD_LIBRARY_PATH=/home/lib/;export DSINSTALL=/home;
  • export PATH=/usr/local/bin:/bin:/usr/bin:/sbin:/home/bin:/home/venv3/bin/;
  • dmesg -C;bash /tmp/s>/tmp/kN;
  • /bin/chmod 6777 /tmp/svb;
  • /tmp/svb;
  • /bin/dd count=1 bs=4096 if=/dev/zero of=/tmp/svb;
  • /bin/chmod 666 /tmp/svb;
  • /bin/rm -rf /tmp/.t;
  • sed -i ‘s/popen(\*FH, \$prog);/processUpgradeDisplay(\$prog, \$console, \$html);return 0;popen(\*FH, \$prog);/g’ /home/perl/DSUpgrade.pm
  • grep -q ‘sub processUpgradeDisplay()’ || echo “$up” >> /home/perl/DSUpgrade.pm
  • cp /lib/libupgrade.so /tmp/data/root/lib
  • cp /home/lib/libsocks5.so /tmp/data/root/home/lib
  • cp /home/lib/libsshd.so /tmp/data/root/home/lib
  • dig @<IP ADDRESS> <VICTIM DOMAIN> A
  • nmap -Pn -sT -p 80,443,445 <IP ADDRESS> –open

• Rare, anomalous, or unauthorized modification of the following files:
  • getComponent.cgi
  • restAuth.cgi
  • /home/perl/DSUpgrade.pm
  • /home/bin/remotedebug
• Presence of, reference to, or execution of “/tmp/test.p” or “/home/bin/dsrunpriv”
• Usage of or reference to the following commands shown here
• Clearing of kernel messages with “dmesg” or modification of log files with sed (both shown here)
• Rare/anomalous spikes in internal network traffic from impacted appliances that may be indicative of scanning/reconaissance
• Results for IOC’s and/or YARA rules described in the article’s IOC section

Threat Object Mapping

Intrusion Set:

• China linked UNC5337

Attack Pattern (MITRE ATT&CK):

• T1595.002 Vulnerability Scanning
• T1190 Exploit Public-Facing Application
• T1562.001 Disable or Modify Tools
• T1059.004 Unix Shell
• T1070.004 File Deletion
• T1505.003 Web Shell
• T1070.003 Clear Command History
• T1070.004 File Deletion
• T1070.001 Clear Windows Event Logs
• T1070.002 Clear Linux or Mac System Logs
• T1572 Protocol Tunneling
• T1070 Indicator Removal on Host
• T1046 Network Service Discovery
• T1018 Remote System Discovery
• T1021.002 SMB/Windows Admin Shares
• T1021.001 Remote Desktop Protocol (RDP)
• T1020 Automated Exfiltration
• T1556 Modify Authentication Process

Vulnerability:

• CVE-2025-0282

Malware/Tool:

• SPAWNANT
• SPAWNMOLE 
• SPAWNSNAIL
• SPAWNSLOTH
• PHASEJAM
• DRYHOOK

↑