The zero-day attacks leveraging the Ivanti Connect Secure (ICS) vulnerability (CVE-2025-0282) made public on Wednesday were first spotted in mid-December 2024, Mandiant researchers have shared.
It’s still impossible to say whether they were mounted by a single threat actor, but the use of known malware on at least one of the compromised VPN appliances points to China-nexus espionage actor(s) – UNC5337 and UNC5221 – that have exploited ICS zero-days several times in the past few years.
“Mandiant assesses that defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access. Additionally, if proof-of-concept exploits for CVE-2025-0282 are created and released, Mandiant assesses it is likely additional threat actors may attempt targeting Ivanti Connect Secure appliances,” the researchers noted.
Techniques and malware used
Mandiant’s analysts have analyzed compromised ICS appliances from multiple organizations, and has found evidence of the attackers using them for further network reconnaissance (LDAP queries) and lateral movement (to Active Directory servers).
On one appliance the attackers deployed the SPAWN malware family: the SPAWNANT installer, SPAWNMOLE tunneler, the SPAWNSNAIL SSH backdoor, and the SPAWNSLOTH log tampering utility.
On other appliances they used previously unobserved malware, which Mandiant named DRYHOOK (a credential theft tool) and PHASEJAM (a web shell dropper).
Before attempting to exploit CVE-2025-0282, the attackers probed the targeted appliances for information about their version.
“While CVE-2025-0282 affects multiple patch levels of ICS release 22.7R2, successful exploitation is version specific,” Mandiant says. “HTTP requests from VPS providers or Tor networks to these URLs, especially in sequential version order, may indicate pre-exploitation reconnaissance.”
Exploitation of the vulnerability generally followed these steps: Disable SELinux -> Prevent syslog forwarding -> Remount the drive as read-write -> Write and execute the script -> Deploy web shell(s) -> Remove specific log entries from debug and application logs -> Reenable SELinux -> Remount the drive.
The web shell droppers modifies ICS appliance components to insert web shells, block legitimate system upgrades and symulate fake ones, and rewrite an executable so they can leverage it to execute arbitrary commands. The PHASEJAM web shell allows continues remote access to and code execution on compromised appliances.
The symulated system updates allow for PHASEJAM and DRYHOOK persistence. The SPAWN family of malware has its own persistence mechanism, so it does not fear or block system upgrades. The SPAWNANT installer also has a way for circumventing the appliance’s internal Integrity Checker Tool (ICT) by modifying the original manifest.
Finally, by clearing kernel messages, purging debug and application logs from failure and error messages created during the exploitation, and removing executed commands from the SELinux audit log, the attackers are trying to muddy the waters for forensic specialists.
Mitigation and remediation
Ivanti advises customers to use the internal and external Integrity Checker Tool to spot malicious modifications of their appliance(s). Since the ICT does not scan for malware or other indicators of compromise, customers should run the ICT in conjunction with other monitoring tools, the company also says.
Mandiant has shared indicators of compromise and YARA rules for detecting the various malware used by the attackers, and has pointed out that an unsuccessful ICT scan (that points to compromise) will show only a few steps performed and will not end with producing an archive file with the results:
Unsuccessful external ICT scan (Source: Mandiant)
The blocked system updates and malware persistence mechanisms employed by the malware are why Ivanti advises performing a factory reset on affected appliances before installing a version with the fix.
CISA’s previous advice to US federal civilian agencies on how to deal with the potential threat of a compromised device is also helpful, and shows that a factory reset and reinstallation should not be the end of remediation efforts.