Researchers from Google’s Mandiant division believe the critical remote code execution vulnerability patched on Wednesday by software vendor Ivanti has been exploited since mid-December by a Chinese cyberespionage group. This is the same group that has exploited zero-day vulnerabilities in Ivanti Connect Secure appliances back in January 2024 and throughout the year.
The latest attacks, exploiting the new CVE-2025-0282 flaw, involved the deployment of multiple malware components from a toolkit dubbed SPAWN that Mandiant attributes to a cluster of activity tracked as UNC5337, which the company suspects is related to another group tracked as UNC5221.
“UNC5221 is a suspected China-nexus espionage actor that exploited vulnerabilities CVE-2023-46805 and CVE-2024-21887, which impacted Ivanti Connect Secure VPN and Ivanti Policy Security appliances as early as December 2023,” the Mandiant researchers said in a report. “Additionally, Mandiant previously observed UNC5221 leveraging a likely ORB network of compromised Cyberoam appliances to enable intrusion operations.”
The SPAWN family of custom malware tools, some of which are specifically designed to interact with Connect Secure features and code, include the SPAWNANT installer, SPAWNMOLE tunneler, the SPAWNSNAIL SSH backdoor and the SPAWNSLOTH log tampering utility. In addition to these known tools that have been used in past Ivanti compromises, the latest attacks also involved never before seen components such as a credential harvester dubbed DRYHOOK and a malware dropper called PHASEJAM.
Malware prevents legitimate upgrades
In its security advisory, Ivanti advised directed customers to perform a factory reset on appliances before deploying the patched 22.7R2.5 version. The company did not go into details as to why but based on Mandiant’s analysis it’s because of the PHASEJAM dropper which modifies multiple legitimate Connect Secure components, including the one responsible for system upgrades. It does this in order to block and then simulate upgrades in a visually convincing way, even displaying the new version number at the end of the process.
