A new wave of attacks targeting Ivanti Connect Secure VPN devices has revealed a stealthy malware strain known as DslogdRAT, deployed alongside a simple but effective Perl web shell.
Security researchers at JPCERT/CC identified these infections during a forensic investigation into exploitation of CVE-2025-0282—a zero-day vulnerability abused in December 2024 attacks on Japanese organizations.
DslogdRAT Initial Access via Lightweight Web Shell
The attackers initially deployed a Perl-based CGI script as a web shell. By checking the value of a specific cookie, the script could run arbitrary commands when the cookie matched a hardcoded token. This barebones backdoor enabled remote command execution on compromised Ivanti devices and likely served as the launchpad for deploying DslogdRAT.
Once launched, DslogdRAT establishes persistence through a multi-process design. The main process spawns a child and exits, while the first child enters a persistent loop and creates a second child tasked with command-and-control (C2) communication. This core process uses the pthread library to manage a dedicated thread for communicating with its remote C2 server.
The communication routine includes retrieving configuration data, managing sockets, and handling commands received from the attacker. According to JPCERT/CC’s analysis, the C2 communications are XOR-encoded in 7-byte blocks, using keys from 0x01 to 0x07.
Malware Configuration: Operating Hours and C2 Details
The DslogdRAT binary contains hardcoded and XOR-encoded configuration data. After decoding, researchers found settings tailored for evasion and operational control. For example, the malware is programmed to activate only between 8:00 AM and 2:00 PM—likely to blend in with normal business activity and evade anomaly detection tools.
Key configuration details include:
- C2 server IP: 3.112.192[.]119
- Port: 443
- Command shell: /bin/sh
- Proxy setup: 127.0.0.1, user: admin, password: admin
- Thread and file references: /home/bin/dslogd, [kworker/0:02]
The design shows clear intent to avoid detection and maintain a foothold while operating within seemingly normal traffic windows.
Capabilities: From Shell Execution to Full Proxy Support
DslogdRAT can handle a wide range of functions. These include uploading and downloading files, executing shell commands, and serving as a proxy tunnel—effectively allowing lateral movement or data exfiltration via other compromised assets.
Supported command values include:
- File transfers:
0x4,0x8,0xA - Shell operations:
0xCto0xE - Proxy services:
0x13to0x18 - Forwarding and redirection:
0x28,0x29
During initial C2 contact, the malware sends a system fingerprint using a structured packet that includes encoded host information, designed for parsing by the operator’s server-side tooling.
Overlap with SPAWNSNARE Malware
Researchers also observed the SPAWNSNARE backdoor on the same compromised systems. This malware, linked to Chinese threat actor UNC5221, had previously been disclosed by both Google and CISA in April 2025. While no direct attribution links DslogdRAT to the same actor, the concurrent presence of both malware strains suggests possible coordination or toolset sharing.
Also read: CISA Details New Malware Used in Ivanti Attacks
Security Advisory and Outlook
Japan’s JPCERT/CC and U.S. CISA have issued alerts about the vulnerabilities affecting Ivanti Connect Secure, particularly CVE-2025-22457. These incidents are part of a broader wave of state-aligned cyber activity targeting edge devices and VPN appliances—favored targets due to their position in network perimeters and often-lax patching cycles.
Organizations using Ivanti Connect Secure are urged to apply available patches immediately, conduct forensic reviews of their appliances, and monitor for known indicators of compromise (IoCs), including:
- Malware hash:
1dd64c00f061425d484dd67b359ad99df533aa430632c55fa7e7617b55dab6a8 - Web shell path:
/home/webserver/htdocs/dana-na/cc/ccupdate.cgi - C2 IP:
3.112.192[.]119
The DslogdRAT intrusion reveals a layered and disciplined intrusion strategy exploiting zero-day flaws in Ivanti systems. With distinct operating windows, encoded communications, and modular capabilities, the malware reflects an ongoing evolution in stealth-focused, post-exploitation tooling. As exploitation of Ivanti vulnerabilities continues, defenders must prioritize threat hunting and network segmentation to limit potential lateral movement.
