A China-based attack group has launched a targeted campaign against Japanese shipping and transportation companies by exploiting critical vulnerabilities in Ivanti Connect Secure (ICS).
The campaign, uncovered in April 2025, leverages two severe vulnerabilities to gain initial access to target networks and deploy multiple PlugX malware variants, including the newly identified MetaRAT and Talisman PlugX.
The attack chain reveals a sophisticated approach where hackers first compromise ICS systems using vulnerabilities CVE-2024-21893 and CVE-2024-21887. Once inside, they establish a foothold by installing malware on targeted devices.
The attacker group then conducts detailed reconnaissance activities to map the network environment and gather system credentials from the compromised systems.
Using stolen credentials, particularly Active Directory privileged account information, attackers move laterally across the target organization’s network infrastructure.
.webp "Hackers Exploiting Vulnerabilities in Ivanti Connect Secure to Deploy MetaRAT Malware 2")
They systematically deploy PlugX variants on multiple internal servers to maintain persistence and expand their control over the compromised environment.
This multi-stage attack demonstrates careful planning and understanding of enterprise network structures.
LAC Watch security analysts identified the malware after conducting forensic analysis on the compromised Ivanti systems.
Attack campaign
They discovered critical error logs with the code ERR31093, which appear when ICS processes invalid SAML payloads related to CVE-2024-21893 exploitation.
Additionally, running the Integrity Checker Tool revealed suspicious files matching known malware signatures, including LITTLELAMB, WOOLTEA, PITSOCK, and PITFUEL that had been previously documented in similar attacks.
MetaRAT represents a new evolution in the PlugX remote access trojan family. This variant has existed since at least 2022 but remained unnamed until now.
.webp "Hackers Exploiting Vulnerabilities in Ivanti Connect Secure to Deploy MetaRAT Malware 4")
Security researchers confirmed that MetaRAT executes via DLL side-loading, a technique that leverages legitimate Windows processes to load malicious code.
The loader component, named mytilus3.dll, loads an encrypted shellcode file called materoll, decrypts it using XOR operations with a key value of 0xA6, and then executes the decoded shellcode in memory.
The shellcode performs additional AES-256-ECB decryption on the stored MetaRAT payload, which is then compressed with LZNT1.
.webp "Hackers Exploiting Vulnerabilities in Ivanti Connect Secure to Deploy MetaRAT Malware 5")
Once decompressed in memory, the actual MetaRAT malware begins execution through exported functions. This multi-layered encryption and compression approach makes detection significantly harder for security tools.
MetaRAT implements API hashing to obtain the necessary Windows API functions and employs anti-debugging mechanisms that detect and destroy decryption keys when a debugger is present.
Vulnerability Details:-
| CVE ID | Description | Severity | Impact | Detection Method |
|---|---|---|---|---|
| CVE-2024-21893 | Authentication bypass in Ivanti Connect Secure | Critical | Invalid SAML payload processing leading to malware installation | ERR31093 critical error logs in system logs |
| CVE-2024-21887 | Remote code execution in Ivanti Connect Secure | Critical | Enables initial intrusion and malware deployment | Suspicious files created (LITTLELAMB, WOOLTEA, PITSOCK, PITFUEL) |
Organizations using affected Ivanti Connect Secure versions should immediately apply security patches and monitor their systems for signs of compromise.
The presence of suspicious service registrations such as “sihosts” or registry keys named “matesile” may indicate active MetaRAT infections.
Additionally, checking for keylog files named “VniFile.hlp” in the %ALLUSERSPROFILE%mates directory can help identify affected systems.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
