Cybersecurity experts are raising alarms over a newly discovered malware strain, DslogdRAT, which has been installed following the exploitation of a critical, now-patched security vulnerability in Ivanti Connect Secure (ICS). The flaw, identified as CVE-2025-0282, allowed attackers to perform remote code execution on affected systems, leading to a wave of attacks that first surfaced in late 2024.
CVE-2025-0282 and the Exploitation Process
The zero-day vulnerability, CVE-2025-0282, was first exploited by a China-linked cyber espionage group, UNC5337, in attacks targeting organizations in Japan in December 2024. According to a report from JPCERT/CC researcher Yuma Masubuchi, the exploitation of this flaw involved the installation of a Perl web shell, which acted as a launching pad for additional malicious payloads, including DslogdRAT.
CVE-2025-0282 is a critical vulnerability in the ICS software that allows unauthenticated remote code execution. Ivanti, the developer of ICS, addressed this security issue in early January 2025 through a patch. However, prior to the fix, cybercriminals exploited this vulnerability to deploy SPAWN, a sophisticated malware ecosystem. This group also used other tools such as DRYHOOK and PHASEJAM, though these strains have not been conclusively attributed to any specific hacker group.
Following the patching of CVE-2025-0282, cybersecurity agencies like JPCERT/CC and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that the same vulnerability was leveraged to deploy newer variants of the SPAWN malware, known as SPAWNCHIMERA and RESURGE. Additionally, Google-owned threat intelligence firm Mandiant disclosed the exploitation of another flaw in ICS (CVE-2025-22457) to distribute SPAWN, which was attributed to a different Chinese hacking group, UNC5221.
Despite these updates, JPCERT/CC has not definitively linked the DslogdRAT attacks to the ongoing campaign involving SPAWN, although the similarities in attack methods suggest a possible connection.
DslogdRAT’s Functionality and Impact
DslogdRAT, once deployed, establishes a socket connection to an external server. This allows it to exfiltrate basic system information and await further instructions. The malware is capable of executing shell commands, downloading and uploading files, and using the infected system as a proxy to route further malicious activity.
The malware’s ability to execute commands and interact with external servers poses significant risks to organizations. It provides cybercriminals with remote control over infected systems, enabling them to perform a range of actions, including espionage, data theft, and network disruptions.
In addition to this growing threat, threat intelligence firm GreyNoise has reported a sharp increase in scanning activity targeting Ivanti Connect Secure and Ivanti Pulse Secure appliances. Over the past 24 hours, more than 270 unique IP addresses have engaged in suspicious scanning activity. In the last 90 days, this number has surged to over 1,000 unique IPs. Of these, 255 IP addresses have been classified as malicious, with another 643 marked as suspicious.
The malicious IPs have been linked to TOR exit nodes, while suspicious IPs appear to originate from lesser-known hosting providers. The United States, Germany, and the Netherlands are identified as the top three countries of origin. This surge in reconnaissance activity suggests that attackers may be preparing for future exploitation, possibly targeting other vulnerabilities in ICS or Pulse Secure.
Recommendations
Cybersecurity experts are urging organizations to apply the patch released by Ivanti for CVE-2025-0282 as soon as possible to mitigate the risk posed by DslogdRAT and other malware strains exploiting ICS vulnerabilities. Additionally, the increase in scanning activity emphasizes the importance of proactive monitoring and securing of affected systems.
Given the ongoing exploitation of these flaws and the appearance of new malware strains like DslogdRAT, organizations should stay vigilant, keep their systems up to date, and closely monitor for signs of compromise.
