Summary:
In what is becoming an increasingly familiar pattern in the cybersecurity threat landscape, a Chinese state-aligned threat group known as UNC5221 has reportedly exploited a freshly patched vulnerability chain in Ivanti Endpoint Manager Mobile (EPMM) to compromise critical infrastructure sectors across Europe, North America, and the Asia-Pacific region. The flaws, tracked as CVE-2025-4427 (CVSS: 5.3) and CVE-2025-4428 (CVSS: 7.2), were addressed by Ivanti just last week—though evidently not before adversaries had ample time to swing the metaphorical crowbar.

According to Dutch cybersecurity firm EclecticIQ, the earliest signs of exploitation date back to May 15, 2025, with targeted sectors including healthcare, telecommunications, aviation, municipal government, finance, and, naturally, defense. These campaigns underscore a familiar modus operandi: weaponizing edge infrastructure and endpoint management platforms as high-leverage access points.

Here’s the attack, now in three acts:
Act I: Initial AccessAttackers begin by abusing the vulnerable endpoint /mifs/rs/api/v2/—likely selected for its elegant blend of utility and insufficient access control—to achieve unauthenticated remote code execution. From there, they summon a reverse shell, effectively opening a remote command line straight into the victim environment.

Act II: Payload DeliveryAfter reconnaissance (done via obfuscated shell commands, because OPSEC matters), the attackers drop KrustyLoader, a Rust-based malware loader previously associated with UNC5221. This modular tool enables delivery of follow-on implants such as Sliver, an open-source C2 framework frequently used for post-exploitation control and payload delivery.

Act III: Data Exfiltration and PersistenceLeveraging hardcoded MySQL credentials (conveniently left behind in /mi/files/system/.mifpp), UNC5221 operators gain unauthorized access to Ivanti’s internal mifs database. The contents of this database can offer a goldmine of sensitive data: device telemetry, user identities via LDAP, and Office 365 OAuth tokens, among others. Lateral movement is facilitated using Fast Reverse Proxy (FRP)—an open-source tool popular in Chinese threat actor circles—and communications are obfuscated through cloud-based services like AWS S3.

Additionally, a C2 infrastructure overlap was discovered with a Linux backdoor known as Auto-Color, previously observed by Palo Alto Networks Unit 42 in campaigns targeting universities and government agencies. The telltale IP address 146.70.87[.]67:45020 reappeared here, acting in a suspiciously consistent fashion: issuing outbound curl commands right after exploitation—classic Auto-Color beaconing behavior.

Security Officer Comments:
UNC5221 isn’t loud or flashy, they’re sneaky and careful. Instead of using big, obvious attacks, they use tools that are already part of the system to quietly spy and steal data. In this case, they figured out how to mess with Ivanti’s mobile device management system, which is used by big companies to control thousands of phones and tablets. And by infiltrating through a weakness, they could obtain access to hundreds of machines, plus precious passwords and security tokens. It's a reminder that even the most ubiquitous tools can be lethal weapons if in the wrong hands.

Suggested Corrections:

• Patch Immediately: If your organization is running Ivanti EPMM and has not yet applied the latest patches for CVE-2025-4427 and CVE-2025-4428, do so yesterday.
• Audit Credentials and Logs: Review all privileged access activity related to your EPMM deployment, including unexpected logins, unauthorized database queries, and suspicious shell activity.
• Segment and Monitor: Ensure endpoint management tools are segmented from the broader enterprise network and monitor all communications between them and cloud platforms (like AWS).
• Harden API Access: Disable any unnecessary public API endpoints and enforce strict authentication wherever possible.
• Deploy EDR and Network Detection Tools: Look for signs of FRP use, Sliver beacons, or reverse shells calling out from your perimeter.

Link(s):
https://thehackernews.com/2025/05/chinese-hackers-exploit-ivanti-epmm.html