Listen to this Post
Cybersecurity researchers have recently uncovered a new malware strain called DslogdRAT, which has been circulating after exploiting a now-patched vulnerability in Ivanti Connect Secure (ICS). This new threat raises concerns about the growing trend of exploiting zero-day vulnerabilities for malicious purposes. Here’s a breakdown of the incident and its implications for cybersecurity.
In December 2024, a China-linked espionage group named UNC5337 exploited a critical security flaw, CVE-2025-0282, in Ivanti Connect Secure. This vulnerability allowed the attackers to execute remote code on targeted systems without requiring authentication. Following this breach, they successfully installed both a web shell and the DslogdRAT malware. The flaw was patched in January 2025, but not before it had been actively exploited to deploy other malware strains like SPAWN, DRYHOOK, and PHASEJAM. While SPAWN has been attributed to UNC5337, the other two malware families have not been linked to a specific threat actor.
Following the discovery of the vulnerability, JPCERT/CC and the Cybersecurity and Infrastructure Security Agency (CISA) issued warnings about further exploitation. These attacks delivered updated versions of SPAWN, such as SPAWNCHIMERA and RESURGE. Another flaw, CVE-2025-22457, has also been exploited to distribute SPAWN, this time attributed to another Chinese hacking group, UNC5221.
What is DslogdRAT and How Does It Work?
DslogdRAT is a remote access Trojan (RAT) that serves as a gateway for attackers to take control of compromised systems. It works by establishing a connection with an external server, from which it receives further instructions. Once installed, it can carry out various malicious actions, including:
– Executing shell commands on the infected system
– Uploading or downloading files
- Using the infected system as a proxy for other attacks
- Sending basic system information back to the attackers
The attack sequence starts when the CVE-2025-0282 vulnerability is exploited, allowing a Perl web shell to be installed. This web shell then acts as the conduit for deploying additional payloads, including DslogdRAT.
What Undercode Says:
The recent wave of cyberattacks involving Ivanti Connect Secure vulnerabilities underlines the growing sophistication and persistence of cyber espionage groups, particularly those linked to state-sponsored activities. The exploitation of zero-day vulnerabilities like CVE-2025-0282 is particularly troubling because it allows hackers to bypass conventional security measures. Organizations that fail to update their systems or patch vulnerabilities in a timely manner are leaving themselves open to potentially devastating breaches.
The use of DslogdRAT as part of this larger cyber espionage operation emphasizes the versatility of modern malware. Unlike traditional malware that focuses solely on data theft or system damage, DslogdRAT acts as a more covert tool, enabling attackers to maintain a persistent presence on compromised systems while quietly carrying out further attacks. This is a key strategy for long-term espionage campaigns where staying undetected is paramount.
Moreover, the fact that multiple malware families—such as SPAWN, DRYHOOK, and PHASEJAM—are being deployed in parallel suggests a well-coordinated effort to compromise a wide range of targets. These attacks also highlight the importance of layered defense strategies in cybersecurity. No single defense mechanism (such as firewalls or antivirus software) is sufficient to protect against sophisticated and evolving threats. Organizations need to implement a combination of threat detection, regular patching, and proactive security monitoring.
What Makes This Threat Different?
What sets this cyberattack apart is the rapid exploitation of vulnerabilities across different Ivanti products, including both Ivanti Connect Secure (ICS) and Ivanti Pulse Secure (IPS) appliances. The sheer volume of suspicious scanning activity—reported as a 9X spike by GreyNoise—suggests that the attackers are preparing for future exploitation. The involvement of more than 270 unique IP addresses in the past 24 hours alone shows that this is a well-organized attack with widespread impact.
With attackers leveraging TOR exit nodes and lesser-known hosting providers, this attack is designed to be as hard to trace as possible, adding another layer of complexity to an already sophisticated operation.
Fact Checker Results:
- CVE-2025-0282 is a critical vulnerability that was patched in January 2025 but had been actively exploited in attacks as early as December 2024.
- The malware DslogdRAT has been confirmed as a payload delivered via this vulnerability, though its exact role in larger campaigns is still being analyzed.
- The surge in suspicious scanning activity targeting Ivanti appliances is a clear indicator of preparations for future attacks, with evidence of a coordinated reconnaissance effort.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.facebook.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
