China-nexus APT Exploits Ivanti Connect Secure VPN Vulnerability to Infiltrate Multiple Entities
Summary:
A China-nexus APT group exploited critical stack buffer overflow vulnerabilities (CVE-2025-0282 and CVE-2025-22457) in Ivanti Connect Secure VPN appliances. The victims span nearly twenty different industries across twelve countries: Austria, Australia, France, Spain, Japan, South Korea, Netherlands, Singapore, Taiwan, the United Arab Emirates, the United Kingdom, and the United States. These vulnerabilities allow for remote code execution. The attacker deployed a shared weapon among Chinese threat groups, SPAWNCHIMERA, which includes SPAWNANT (installer), SPAWNMOLE (socks5 tunnler), SPAWNSNAIL (SSH backdoor), and SPAWNSLOTH (log wiper).
Security Officer Comments:
While specific attribution is not provided in the article, the wide geographic and industry distribution of victims underscores the broad targeting scope often associated with state-sponsored actors. The use of SPAWNCHIMERA, a malware family shared among Chinese threat groups, indicating a potential connection or shared resources within the broader China-nexus cyber espionage ecosystem. As commonly seen in Chinese APT groups, the adversary is focused on establishing covert communication, maintaining access, and covering their tracks, likely for espionage and stealthily intellectual property theft.
Of note, other actors are also exploiting these issues in Ivanti Connect Secure VPN.
Suggested Corrections:
Organizations using vulnerable versions of Ivanti Connect Secure VPN must immediately apply the security patches released by Ivanti for CVE-2025-0282 and CVE-2025-22457. This will close the entry points the attackers are exploiting.
The article strongly recommends that affected organizations conduct a thorough incident investigation. This is crucial because the attacker demonstrated versatile tactics and likely established a persistent presence within compromised networks. A comprehensive investigation can help identify the scope of the breach, any data exfiltration, and all backdoors or persistence mechanisms the attackers may have deployed.
Link(s):
https://teamt5.org/en/posts/china-n...ulnerability-to-infiltrate-multiple-entities/
A China-nexus APT group exploited critical stack buffer overflow vulnerabilities (CVE-2025-0282 and CVE-2025-22457) in Ivanti Connect Secure VPN appliances. The victims span nearly twenty different industries across twelve countries: Austria, Australia, France, Spain, Japan, South Korea, Netherlands, Singapore, Taiwan, the United Arab Emirates, the United Kingdom, and the United States. These vulnerabilities allow for remote code execution. The attacker deployed a shared weapon among Chinese threat groups, SPAWNCHIMERA, which includes SPAWNANT (installer), SPAWNMOLE (socks5 tunnler), SPAWNSNAIL (SSH backdoor), and SPAWNSLOTH (log wiper).
Security Officer Comments:
While specific attribution is not provided in the article, the wide geographic and industry distribution of victims underscores the broad targeting scope often associated with state-sponsored actors. The use of SPAWNCHIMERA, a malware family shared among Chinese threat groups, indicating a potential connection or shared resources within the broader China-nexus cyber espionage ecosystem. As commonly seen in Chinese APT groups, the adversary is focused on establishing covert communication, maintaining access, and covering their tracks, likely for espionage and stealthily intellectual property theft.
Of note, other actors are also exploiting these issues in Ivanti Connect Secure VPN.
Suggested Corrections:
Organizations using vulnerable versions of Ivanti Connect Secure VPN must immediately apply the security patches released by Ivanti for CVE-2025-0282 and CVE-2025-22457. This will close the entry points the attackers are exploiting.
The article strongly recommends that affected organizations conduct a thorough incident investigation. This is crucial because the attacker demonstrated versatile tactics and likely established a persistent presence within compromised networks. A comprehensive investigation can help identify the scope of the breach, any data exfiltration, and all backdoors or persistence mechanisms the attackers may have deployed.
Link(s):
https://teamt5.org/en/posts/china-n...ulnerability-to-infiltrate-multiple-entities/