Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Security researchers at Mandiant are confident that Chinese hackers are behind an ongoing malware campaign exploiting a flaw in Ivanti Connect Secure appliances.
Chinese-backed hackers are very likely exploiting a recently revealed zero-day vulnerability in Ivanti VPN devices, deploying a raft of malware on targeted appliances.
Researchers at Google’s Mandiant cyber security division were initially responsible for disclosing CVE-2025-0282, and Mandiant and Ivanti are continuing to investigate the campaign at the time of writing.
CVE-2025-0282 is an unauthenticated stack-based buffer overflow vulnerability that could lead to a threat actor executing code remotely on an impacted device, which, in turn, could lead to the compromise of an entire network.
Mandiant is currently studying multiple infected devices and has found several families of malware, particularly the SPAWNANT installer, SPAWNMOLE tunneller and the SPAWNSNAIL SSH backdoor.
Researchers have also observed what appears to be new malware being deployed by the threat actor, which Mandiant has dubbed DRYHOOK and PHASEJAM.
While the SPAWN family of malware has been seen to be used by a group of Chinese threat actors dubbed UNC5337, the latter two have not been linked to a particular threat group.
UNC5337 has been exploiting compromised Ivanti Connect Secure VPN appliances since at least January 2024 and has links to another Chinese threat actor, tracked as UNC5221. Both have been seen to engage in cyber espionage activities. Once persistence has been maintained on a network, the groups deploy tunnellers to communicate with their command and control infrastructure, perform network reconnaissance and harvest credentials.
Mandiant expects the espionage activity to continue against “a wide range of countries and verticals”.
“Mandiant assesses that defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access,” Mandiant said in a 9 January blog post.
“Additionally, if proof-of-concept exploits for CVE-2025-0282 are created and released, Mandiant assesses it is likely additional threat actors may attempt targeting Ivanti Connect Secure appliances.”
You can learn more about Mandiant’s analysis of the exploitation here.
In addition, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) released its own Act Now Critical Alert regarding CVE-2025-0282 and CVE-2025-0283 yesterday.
“This alert is relevant to Australian organisations who use Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA Gateways. This alert is intended to be understood by technical users,” the ACSC said on 9 January.
“Customers are encouraged to patch to the latest version of Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA Gateways where available and apply advice detailed in Ivanti’s security advisory.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
