Recent reports have highlighted the emergence of a sophisticated malware strain known as DslogdRAT, which exploits a recently patched vulnerability in Ivanti Connect Secure (ICS). This vulnerability, tracked as CVE-2025-0282, was initially leveraged by cybercriminals against organizations in Japan in December 2024. It enabled attackers to install both the malware and an associated web shell.
According to Yuma Masubuchi from JPCERT/CC, the malware deployment occurred during a coordinated attack that utilized the zero-day flaw, which was a significant security gap allowing for unauthenticated remote code execution. Ivanti addressed this security flaw in early January 2025, but the exploit chain had already resulted in the installation of DslogdRAT within targeted systems.
The vulnerability has been exploited not only by opportunistic hackers but also potentially by organized cyber espionage groups, specifically a China-linked entity named UNC5337. This group has used the ICS flaw to distribute various forms of malware, including an ecosystem known as SPAWN and other tools. Notably, attacks leveraging the same vulnerability have led to the deployment of updated variants, termed SPAWNCHIMERA and RESURGE.
Additionally, a separate security flaw within ICS (CVE-2025-22457) has been weaponized to further push SPAWN malware from another Chinese hacking group called UNC5221. The repeated exploitation of these vulnerabilities raises significant concerns regarding the security posture of businesses dependent on Ivanti products.
JPCERT/CC is currently investigating whether the attacks utilizing DslogdRAT form part of a broader campaign associated with the SPAWN malware family. The attack vector typically entails the exploitation of CVE-2025-0282 to deploy a Perl-based web shell, which serves as an entry point for further malicious payloads, including DslogdRAT.
Once activated, DslogdRAT connects to an external server, allowing it to transmit system information and await additional directives. This functionality includes executing shell commands, transferring files, and employing the compromised host for proxy activities. This capability poses a substantial risk, particularly for businesses managing sensitive data.
In light of these developments, threat intelligence firm GreyNoise reported a significant increase in scanning activities targeting ICS and Ivanti Pulse Secure appliances. Each day, over 270 unique IP addresses have been observed engaging in suspicious scanning, with a cumulative total of more than 1,000 IPs over the past 90 days. This uptick is predominantly attributed to entities originating from the United States, Germany, and the Netherlands.
The spike in scanning activity suggests a coordinated reconnaissance effort, possibly laying the groundwork for future attacks. While no specific vulnerabilities have yet been linked to this surge, historical trends indicate that such patterns often precede active exploitation attempts. Businesses using Ivanti products are urged to remain vigilant and ensure their systems are updated to mitigate risks associated with these ongoing cyber threats.
