DslogdRAT Malware Installed in Ivanti Connect Secure
Summary:
In January 2025, Ivanti released patches to address an actively exploited zero-day vulnerability impacting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Tracked as CVE-2025-0282, the flaw pertains to a stack-based buffer overflow and could allow actors to gain unauthenticated remote code execution on vulnerable appliances. Since the initial disclosure by Ivanti, vendors like Google have come out with advisories, highlighting attacks in the wild exploiting CVE-2025-0282 to deliver SPAWN, a malware ecosystem attributed to UNC5221, a Chinese-nexus threat group.
A new advisory from Japan’s Computer Emergency Response Team (JPCERT/CC) details a multi-stage attack campaign observed in December 2024, in which threat actors exploited CVE-2025-0282 to compromise organizations across Japan. The attackers deployed a simplistic yet effective Perl-based CGI web shell as the initial payload, which parses the Cookie header of incoming HTTP requests and checks for a specific token (DSAUTOKEN=af95380019083db5). Upon validation, the script executes arbitrary system commands supplied via the data parameter, granting remote code execution capabilities. This foothold was then used to deliver DslogdRAT, a more advanced remote access trojan designed for persistence and stealth. DslogdRAT employs a parent-child process architecture: the main process spawns a long-running first child for persistence and a second child responsible for core malicious functions. These include establishing an XOR-encoded socket connection with a command-and-control server, exfiltrating host data, executing shell commands, handling file transfers, and enabling proxy capabilities. To minimize detection, the malware is configured to operate primarily during standard business hours, as defined by a hardcoded, XOR-obfuscated configuration block.
Security Officer Comments:
In the campaign uncovered by JPCERT/CC, the agency also identified the presence of SPAWNARE on compromised systems, alongside DslogdRAT. SPAWNARE, a utility written in C, specifically targets Linux systems and was previously reported by both CISA and Google in April 2025. This tool is designed to decompress a Linux kernel image (vmlinux), and then encrypt it using AES, all without relying on any command-line utilities. Although it remains unclear whether these infections are directly correlated or a part of the same campaign, this activity is consistent with the broader trend of suspected China-nexus groups heavily investing in both zero-day exploits and custom malware targeting critical edge infrastructure.
Suggested Corrections:
Ivanti Connect Secure:
Ivanti Neurons for ZTA Gateways: The Ivanti Neurons ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. A patch is now available.
Ivanti’s advisory can be accessed here.
DslogdRAT IOCs can be accessed here.
Link(s):
https://blogs.jpcert.or.jp/en/2025/04/dslogdrat.html
In January 2025, Ivanti released patches to address an actively exploited zero-day vulnerability impacting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Tracked as CVE-2025-0282, the flaw pertains to a stack-based buffer overflow and could allow actors to gain unauthenticated remote code execution on vulnerable appliances. Since the initial disclosure by Ivanti, vendors like Google have come out with advisories, highlighting attacks in the wild exploiting CVE-2025-0282 to deliver SPAWN, a malware ecosystem attributed to UNC5221, a Chinese-nexus threat group.
A new advisory from Japan’s Computer Emergency Response Team (JPCERT/CC) details a multi-stage attack campaign observed in December 2024, in which threat actors exploited CVE-2025-0282 to compromise organizations across Japan. The attackers deployed a simplistic yet effective Perl-based CGI web shell as the initial payload, which parses the Cookie header of incoming HTTP requests and checks for a specific token (DSAUTOKEN=af95380019083db5). Upon validation, the script executes arbitrary system commands supplied via the data parameter, granting remote code execution capabilities. This foothold was then used to deliver DslogdRAT, a more advanced remote access trojan designed for persistence and stealth. DslogdRAT employs a parent-child process architecture: the main process spawns a long-running first child for persistence and a second child responsible for core malicious functions. These include establishing an XOR-encoded socket connection with a command-and-control server, exfiltrating host data, executing shell commands, handling file transfers, and enabling proxy capabilities. To minimize detection, the malware is configured to operate primarily during standard business hours, as defined by a hardcoded, XOR-obfuscated configuration block.
Security Officer Comments:
In the campaign uncovered by JPCERT/CC, the agency also identified the presence of SPAWNARE on compromised systems, alongside DslogdRAT. SPAWNARE, a utility written in C, specifically targets Linux systems and was previously reported by both CISA and Google in April 2025. This tool is designed to decompress a Linux kernel image (vmlinux), and then encrypt it using AES, all without relying on any command-line utilities. Although it remains unclear whether these infections are directly correlated or a part of the same campaign, this activity is consistent with the broader trend of suspected China-nexus groups heavily investing in both zero-day exploits and custom malware targeting critical edge infrastructure.
Suggested Corrections:
Ivanti Connect Secure:
- Clean internal and external ICT scan: upgrade to Ivanti Connect Secure 22.7R2.5 and continue to closely monitor your internal and external ICT in conjunction with other security tools. Factory reset on appliances with a clean ICT scan is recommended before putting 22.7R2.5 in production out of an abundance of caution.
- ICT result shows signs of compromise: perform a factory reset on the appliance to ensure any malware is removed, put the appliance back into production using version 22.7R2.5. Continue to closely monitor your internal and external ICT in conjunction with other security tools.
Ivanti Neurons for ZTA Gateways: The Ivanti Neurons ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. A patch is now available.
Ivanti’s advisory can be accessed here.
DslogdRAT IOCs can be accessed here.
Link(s):
https://blogs.jpcert.or.jp/en/2025/04/dslogdrat.html