CyberSecurity news
FlagThis
CISA@Alerts
//
A new wave of cyberattacks has been detected targeting Ivanti Connect Secure VPN devices, exploiting the zero-day vulnerability CVE-2025-0282. This vulnerability is being leveraged to deploy a previously unseen malware called DslogdRAT, along with a Perl-based web shell. The attacks, which initially targeted organizations in Japan around December 2024, involve the web shell being used for remote command execution, ultimately leading to the installation of DslogdRAT for persistence and command-and-control (C2) communication. Researchers at JPCERT/CC have been closely analyzing this malware and the methods used in these attacks.
The attack sequence begins with the exploitation of the CVE-2025-0282 vulnerability. Once exploited, a Perl web shell is deployed, which is used to execute commands, including those that lead to the installation of DslogdRAT. DslogdRAT establishes a socket connection with an external server, transmitting basic system information and awaiting further instructions. This allows attackers to execute shell commands, upload and download files, and even use the compromised host as a proxy. The malware is designed to operate primarily during business hours, likely to avoid detection, and uses a simple XOR-based encoding method to protect its communication with the C2 server.
Notably, the SPAWNSNARE backdoor has also been observed on systems compromised in these attacks. While it is unclear whether the DslogdRAT campaign is connected to previous attacks involving the SPAWN malware family attributed to the Chinese hacking group UNC5221, the use of CVE-2025-0282 as an initial access vector is a common thread. Furthermore, threat intelligence firms have noted a significant increase in scanning activity targeting Ivanti ICS and Ivanti Pulse Secure appliances, suggesting a coordinated reconnaissance effort that could precede further exploitation attempts. Users of Ivanti Connect Secure VPN devices are strongly advised to apply the available patches and monitor their systems for any signs of compromise.
References :
The attack sequence begins with the exploitation of the CVE-2025-0282 vulnerability. Once exploited, a Perl web shell is deployed, which is used to execute commands, including those that lead to the installation of DslogdRAT. DslogdRAT establishes a socket connection with an external server, transmitting basic system information and awaiting further instructions. This allows attackers to execute shell commands, upload and download files, and even use the compromised host as a proxy. The malware is designed to operate primarily during business hours, likely to avoid detection, and uses a simple XOR-based encoding method to protect its communication with the C2 server.
Notably, the SPAWNSNARE backdoor has also been observed on systems compromised in these attacks. While it is unclear whether the DslogdRAT campaign is connected to previous attacks involving the SPAWN malware family attributed to the Chinese hacking group UNC5221, the use of CVE-2025-0282 as an initial access vector is a common thread. Furthermore, threat intelligence firms have noted a significant increase in scanning activity targeting Ivanti ICS and Ivanti Pulse Secure appliances, suggesting a coordinated reconnaissance effort that could precede further exploitation attempts. Users of Ivanti Connect Secure VPN devices are strongly advised to apply the available patches and monitor their systems for any signs of compromise.
Share:
References :
- blogs.jpcert.or.jp: JPCERT/CC report on DslogdRAT malware
- thecyberexpress.com: The Cyber Express on DslogdRAT Malware
- The Hacker News: The Hacker News on DslogdRAT Malware