The Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR), highlighting a new attack trend targeting Ivanti Endpoint Manager Mobile (EPMM) systems.
The report provides a technical dissection of two separate malware sets used by cyber actors to exploit two critical vulnerabilities: CVE-2025-4427 and CVE-2025-4428.
These exploits allowed unauthorized access to vulnerable systems and facilitated the deployment of custom malware capable of long-term persistence and full remote control.
Exploited Vulnerabilities: CVE-2025-4427 and CVE-2025-4428
The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, were disclosed and patched by Ivanti on May 13, 2025. However, exploitation was observed in the wild within days, prompting CISA to add both entries to its Catalog of Known Exploited Vulnerabilities. The cyber attackers chained these flaws to infiltrate EPMM servers, focusing on the /mifs/rs/api/v2/ endpoint via crafted HTTP GET requests.
Once access was gained, attackers executed remote commands to harvest sensitive system data, including configuration files, directory contents, LDAP credentials, and network information. They also deployed malware sets that ensured persistence and enabled continued access.
Malware Analysis Summary
CISA’s MAR categorizes malware into two distinct sets, each comprising a loader and a malicious listener. These components were typically written to the /tmp directory of the compromised systems. Their main function was to allow cyber threat actors to inject and execute arbitrary code remotely.
The targeted software versions include:
- Ivanti EPMM 11.12.0.4 and earlier
- 12.3.0.1 and earlier
- 12.4.0.1 and earlier
- 12.5.0.0 and earlier
Organizations using any of these versions are urged to apply security updates immediately.
Technical Breakdown: Set 1
Set 1 includes three components:
- Loader 1 (web-install.jar)
- ReflectUtil.class
- SecurityHandlerWanListener.class
Loader 1 is a Java Archive (JAR) that loads the ReflectUtil.class file, which uses reflective programming to dynamically inject the SecurityHandlerWanListener into Apache Tomcat, a common application server in Ivanti EPMM deployments.
If the malicious listener is not present during initial execution, the loader decodes a Base64 string containing bytecode, decompresses it via GZIP, and dynamically loads it into memory. The SecurityHandlerWanListener then monitors HTTP requests and, when specific patterns are matched, such as unique pass strings and encrypted payloads, executes arbitrary Java classes after decrypting the data using AES encryption.
Technical Breakdown: Set 2
Set 2 also consists of two files:
- Loader 2 (web-install.jar)
- WebAndroidAppInstaller.class
This version of the loader also installs a malicious servlet, but it differs in its behavior. It masquerades as part of the com.mobileiron.service package and is activated by HTTP requests with the Content-Type: application/x-www-form-urlencoded.
Once triggered, it extracts a password parameter from the request, decodes and decrypts it using a hardcoded AES key, and executes the malicious Java class embedded within. The decrypted payload is also returned to the attacker, enabling full system control.
Malware Delivery Tactics
One of the more technical aspects of this campaign is the malware delivery mechanism. Attackers transmitted the payload in Base64-encoded fragments via a series of HTTP GET requests. Using Java Expression Language (EL) injection, the payload was reconstructed directly on the server, bypassing traditional endpoint defenses that often flag large or suspicious file transfers.
The reconstructed malware was then assembled into .jar files in the /tmp directory, allowing attackers to avoid direct payload transfers that could be detected by security tools.
Detection Tools and Indicators
To support detection efforts, CISA has published a suite of resources:
- Indicators of Compromise (IOCs): Useful for forensic and threat-hunting activities.
- YARA Rules: Five separate rules designed to detect components like ReflectUtil.class, Loader 1, and WebAndroidAppInstaller.class.
- SIGMA Rule: Tailored to flag signs of exploitation for CVE-2025-4427 and CVE-2025-4428, including suspicious file modifications, command execution patterns, and unauthorized access to JSP files.
MITRE ATT&CK Mapping
CISA’s MAR also maps the campaign to specific MITRE ATT&CK tactics and techniques, such as:
- T1027.004: Obfuscation using Base64 chunking
- T1036: Masquerading as legitimate classes
- T1140: Decompression and decryption of bytecode
- T1071.001: Use of HTTP for command and control
- T1573.001: Symmetric encryption of command payloads
These mappings aid cybersecurity professionals in correlating observed behavior with known adversary tactics.
Incident Response Guidance
In the event of suspected compromise, CISA recommends the following steps:
- Isolate Affected Systems: Immediately remove compromised devices from the network.
- Collect Artifacts: Gather logs, memory dumps, and recent activity data for forensic analysis.
- Capture Disk Images: Preserve disk contents for in-depth review.
- Reset Credentials: Especially if lateral movement is suspected.
- Reimage Systems: Fully restore affected devices to eliminate persistent malware.
- Apply Mitigations: Upgrade EPMM systems, implement network segmentation, and enforce strict access controls.
Key Mitigation Recommendations
CISA emphasizes several critical steps to reduce organizational risk:
- Upgrade Ivanti EPMM systems to the latest secure release.
- Treat MDM platforms as high-value assets, isolating them from untrusted parts of the network.
- Deploy recommended YARA and SIGMA rules to automate threat detection.
- Enforce multi-factor authentication (MFA) and follow best practices outlined in the Cross-Sector Cybersecurity Performance Goals (CPGs).
