Threat Actors Exploit Ivanti Connect Secure Flaws to Deploy Cobalt Strike Beacon

Threat actors have been actively exploiting vulnerabilities in Ivanti Connect Secure, specifically CVE-2025-0282 and CVE-2025-22457, to deploy advanced malware, including MDifyLoader and Cobalt Strike Beacon.

These attacks, observed from December 2024 through July 2025, build on prior incidents involving SPAWNCHIMERA and DslogdRAT, demonstrating persistent targeting of VPN appliances.

Attackers leverage these flaws for initial access, subsequently introducing tools like vshell and Fscan to facilitate reconnaissance, lateral movement, and persistence within compromised networks.

The sophistication of these operations highlights the attackers’ intent to evade detection through obfuscation, encryption, and legitimate file abuse, underscoring the need for robust patching and monitoring of external remote services.

Malware Execution

The execution flow begins with a scheduled task triggering a legitimate executable, such as Java’s rmic.exe or push_detect.exe, which side-loads MDifyLoader via DLL hijacking.

Derived from the open-source libPeConv project, MDifyLoader decrypts an encrypted data file using an RC4 key generated from the MD5 hash of the executable, ultimately injecting Cobalt Strike Beacon version 4.5 into memory.

This Beacon variant features custom modifications, including RC4-encrypted configuration data with a hardcoded “google” key and a “NewBeacon.dll” identifier, deviating from standard XOR decryption.

Obfuscation in MDifyLoader incorporates junk code with meaningless function calls and relative address references, complicating static analysis and deobfuscation efforts.

Similarly, vshell, a Go-based multi-platform RAT version 4.6.0, includes a system language check for Chinese, which attackers repeatedly tested and redeployed, suggesting remnants of internal development artifacts.

Fscan, an open-source network scanner, is executed via a legitimate python.exe that side-loads a malicious python311.dll based on FilelessRemotePE, decrypting the encoded k.bin payload with an RC4 key “99999999” for in-memory execution.

Post-Exploitation Tactics

Once inside the internal network, attackers employ brute-force attacks on Active Directory servers, FTP, MSSQL, and SSH services to harvest credentials, while exploiting the MS17-010 SMB vulnerability for lateral movement to unpatched hosts.

Obtained credentials enable RDP and SMB-based pivoting, with malware deployment across systems.

For persistence, new domain accounts are created and added to groups, blending with legitimate operations to survive credential revocations, while malware is registered as Windows services or scheduled tasks for automatic execution on startup or triggers.

Defense evasion is achieved through masquerading as legitimate files, file deletion to erase traces, and ETW bypassing via ntdll.dll patches in the Fscan loader, impairing EDR detection.

Command and control communications are secured with encrypted channels, including TLS and custom protocols, facilitating long-term access.

These tactics map to MITRE ATT&CK techniques such as T1133 for initial access, T1053.005 for scheduled tasks, T1110.001 for credential access, and T1210 for exploitation-based lateral movement, illustrating a comprehensive intrusion lifecycle.

JPCERT/CC warns that these attacks are likely to continue, urging organizations to scrutinize VPN devices and implement defenses against such encrypted, obfuscated payloads. For detailed indicators, including hashes and C2 servers, refer to the IOC table below.

Indicators of Compromise (IOC)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now