Chinese Espionage Group Aiming at Legacy Ivanti VPN Devices

A recent investigation has revealed that a suspected cyberespionage group from China has been targeting Ivanti’s VPN appliances, installing malware that exploits a critical security flaw. This vulnerability was patched by Ivanti in February, demonstrating a continued trend of Chinese hackers quickly exploiting newly fixed weaknesses in cybersecurity.

According to researchers at Mandiant, the group known as UNC5221 utilized a stack-based buffer overflow in Ivanti Connect Secure to deploy malware associated with the Spawn ecosystem, which has links to state-sponsored Chinese cyber operations. Mandiant’s findings also highlighted two new malware variants identified as “Trailblaze” and “Brushfire.” Similar to previous breaches linked to Chinese attackers, attempts were made to alter Ivanti’s Integrity Checker Tool to avoid detection.

This group exploited the vulnerability cataloged as CVE-2025-22457 to target several versions of the Connect Secure appliance, including the outdated Connect Secure 9.x devices and Policy Secure, which manages centralized access. Ivanti issued a patch on February 11 but noted that certain devices, such as Policy Secure, should not be exposed to the internet to reduce risk.

In a statement, Ivanti acknowledged awareness of a limited number of compromised devices. Intelligence agencies have been vocal about the aggressive strategies employed by Chinese nation-state hackers, who often exploit vulnerabilities before patches have been fully implemented.

The main targets of these attacks appear to be older VPN appliances that are no longer supported with software updates, such as the Connect Secure 9.x product, which reached its end-of-support date on December 31, 2024. Following the issued patch, Ivanti has begun transitioning users to newer versions, starting with Ivanti Connect Secure 22.7R2.6.

This ongoing siege against Ivanti marks a continuation of efforts by Chinese hackers to infiltrate networks of U.S. corporations, seizing on security flaws that have been disclosed publicly. It’s essential to note that the vulnerabilities exploited in this latest incident are separate from a previously flagged flaw that the U.S. Cybersecurity and Infrastructure Security Agency warned about, which also involved leaving malware on Ivanti Connect Secure appliances.

Utilizing the MITRE ATT&CK framework, it is evident that the attackers employed various tactics including initial access through exploiting vulnerabilities, persistence via the use of malware, and privilege escalation by modifying existing software tools to avoid detection. As cyber threats evolve, organizations must remain vigilant and proactive in their cybersecurity measures to mitigate risks stemming from such nation-state cyber operations.