X-Industry

Chinese Hacker Campaign: Ivanti Connect Secure VPN

Posted by Jim McKee on April 29, 2025 at 8:00am

13540736652?profile=RESIZE_400xA Chinese Advanced Persistent Threat (APT) Group has successfully exploited critical vulnerabilities in Ivanti Connect Secure VPN appliances to infiltrate organizations across 12 countries and 20 industries, according to the Taiwan cybersecurity firm TeamT5.  The campaign, active since late March 2025, exploits the stack-based buffer overflow flaws in CVE-2025-0282 and CVE-2025-22457, which have maximum CVSS (Common Vulnerability Scoring System) scores of 9.0, to deploy the SPAWNCHIMERA malware suite and establish network access.[1]

CVSS is a standard for assessing the severity of software vulnerabilities and assigning a numerical score ranging from 0 to 10.  This score helps organizations prioritize vulnerability remediation efforts by quantifying the potential impact of vulnerability.

The attacks targeted organizations in the UK, the US, Austria, Australia, France, Spain, Japan, South Korea, the Netherlands, Singapore, Taiwan, and the United Arab Emirates. Targeted industries include government agencies, financial institutions, telecommunications, law firms, and intergovernmental organizations.

The attackers mapped critical infrastructure, suggesting preparations for future disruptive operations.  As geopolitical tensions escalate, the incident highlights the need for proactive vulnerability management and the sharing of cross-sector threat intelligence.  The threat actors maintained covert access to victim networks for weeks, exfiltrating sensitive data while evading detection through multi-layered command-and-control (C2) infrastructure and log-wiping tools.

The APT group has been identified as UNC5221, which, according to research by Mandiant, is linked to the Chinese government and has successfully exploited Ivanti vulnerabilities to achieve unauthenticated Remote Code Execution (RCE).

Once inside, attackers deployed SPAWNCHIMERA, a modular malware package explicitly designed to exploit Ivanti appliances. The key malware components include:

  • SPAWNANT: A stealthy installer that bypasses integrity checks.
  • SPAWNMOLE: A SOCKS5 proxy for tunnelling traffic.
  • SPAWNSNAIL: An SSH backdoor for persistent access.
  • SPAWNSLOTH: A log-wiping tool to erase forensic evidence.

The malware’s dynamic patching capability allows it to modify vulnerable Ivanti components in memory, ensuring continued exploitation even after patches are applied.  Security analysts at Rapid7 are reported to have confirmed the vulnerability’s weakness, stating that CVE-2025-22457 initially appeared as a low-risk denial-of-service bug but was later weaponized for remote code execution (RCE).

Since April 2025, mass exploitation attempts have rendered many Ivanti VPN appliances unstable, with failed attacks causing widespread service disruptions. Despite Ivanti’s patches released in February, thousands of devices remain unpatched due to sluggish enterprise remediation efforts.

Mandiant warns that the SPAWNCHIMERA toolkit’s sophistication, including UNIX socket communication and obfuscated payloads, reflects China's growing focus on cyber espionage against geopolitical rivals.

TeamT5 urges affected organizations to:  

  • Immediately apply Ivanti’s version 22.7R2.5 patches.
  • Conduct complete network forensic analyses to identify dormant malware.
  • Reset VPN appliances and revoke credentials exposed during breaches.

As Chinese APTs increasingly target legacy systems, the US Cybersecurity and Infrastructure Security Agency (CISA) required US federal agencies to patch Ivanti vulnerabilities by January 15, 2025, a deadline many missed, exacerbating the crisis.

With over 1,700 devices compromised globally and exploitation attempts surging, analysts warn that the operational consequences could continue for years.  The campaign highlights the risks of unpatched network edge devices, particularly VPN gateways. It underscores the critical importance of proactive cybersecurity measures in mitigating the risks posed by increasingly sophisticated nation-state-level threat actors.

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

 Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

 

[1] https://www.cybersecurityintelligence.com/blog/chinese-hackers-undertaking-a-global-infiltration-campaign-8377.html

© 2025 Red Sky Alliance Corporation. All rights reserved.

Views: 16
Tags: tr-25-117-005, vpn, cve-2025-0282, cve-2025-22457, spawnchimera, cvss, unc5221
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!