CyberSecurity news
FlagThis
@securityonline.info
//
A new wave of cyberattacks has been detected targeting Ivanti Connect Secure VPN devices, exploiting the zero-day vulnerability CVE-2025-0282. This vulnerability is being leveraged to deploy a previously unseen malware called DslogdRAT, along with a Perl-based web shell. The attacks, which initially targeted organizations in Japan around December 2024, involve the web shell being used for remote command execution, ultimately leading to the installation of DslogdRAT for persistence and command-and-control (C2) communication. Researchers at JPCERT/CC have been closely analyzing this malware and the methods used in these attacks.
The attack sequence begins with the exploitation of the CVE-2025-0282 vulnerability. Once exploited, a Perl web shell is deployed, which is used to execute commands, including those that lead to the installation of DslogdRAT. DslogdRAT establishes a socket connection with an external server, transmitting basic system information and awaiting further instructions. This allows attackers to execute shell commands, upload and download files, and even use the compromised host as a proxy. The malware is designed to operate primarily during business hours, likely to avoid detection, and uses a simple XOR-based encoding method to protect its communication with the C2 server.
Notably, the SPAWNSNARE backdoor has also been observed on systems compromised in these attacks. While it is unclear whether the DslogdRAT campaign is connected to previous attacks involving the SPAWN malware family attributed to the Chinese hacking group UNC5221, the use of CVE-2025-0282 as an initial access vector is a common thread. Furthermore, threat intelligence firms have noted a significant increase in scanning activity targeting Ivanti ICS and Ivanti Pulse Secure appliances, suggesting a coordinated reconnaissance effort that could precede further exploitation attempts. Users of Ivanti Connect Secure VPN devices are strongly advised to apply the available patches and monitor their systems for any signs of compromise.
ImgSrc: securityonline.
References :
The attack sequence begins with the exploitation of the CVE-2025-0282 vulnerability. Once exploited, a Perl web shell is deployed, which is used to execute commands, including those that lead to the installation of DslogdRAT. DslogdRAT establishes a socket connection with an external server, transmitting basic system information and awaiting further instructions. This allows attackers to execute shell commands, upload and download files, and even use the compromised host as a proxy. The malware is designed to operate primarily during business hours, likely to avoid detection, and uses a simple XOR-based encoding method to protect its communication with the C2 server.
Notably, the SPAWNSNARE backdoor has also been observed on systems compromised in these attacks. While it is unclear whether the DslogdRAT campaign is connected to previous attacks involving the SPAWN malware family attributed to the Chinese hacking group UNC5221, the use of CVE-2025-0282 as an initial access vector is a common thread. Furthermore, threat intelligence firms have noted a significant increase in scanning activity targeting Ivanti ICS and Ivanti Pulse Secure appliances, suggesting a coordinated reconnaissance effort that could precede further exploitation attempts. Users of Ivanti Connect Secure VPN devices are strongly advised to apply the available patches and monitor their systems for any signs of compromise.
ImgSrc: securityonline.
Share:
References :
- blogs.jpcert.or.jp: JPCERT/CC: DslogdRAT malware targeting Ivanti Connect Secure
- thecyberexpress.com: The Cyber Express on DslogdRAT Malware
- The Hacker News: The Hacker News on DslogdRAT Malware
- bsky.app: Japan's CERT looks at DslogdRAT, a web shell deployed on hacked Ivanti Connect Secure devices
- securityaffairs.com: SecurityAffairs: JPCERT warns of DslogdRAT malware deployed in Ivanti Connect Secure
- cyberpress.org: CyberPress on Ivanti Connect Secure 0-Day Exploited by Hackers to Install DslogdRAT and Web Shell
- securityonline.info: SecurityOnline: DslogdRAT Malware Targets Ivanti Connect Secure via CVE-2025-0282 Zero-Day Exploit
- securityonline.info: DslogdRAT Malware Targets Ivanti Connect Secure via CVE-2025-0282 Zero-Day Exploit
- BleepingComputer: BleepingComputer reports about DslogdRAT Malware being deployed via IVANTI zero day
- gbhackers.com: Hackers Exploited Ivanti Connect Secure 0-Day to Deploy DslogdRAT and Web Shell