Japan’s cyber defenders have raised the red flag, once again, for a set of Ivanti Connect Secure vulnerabilities that continue to be exploited to present day, although a patch has been available for the last three months.
The latest update comes after the Japanese computer emergency response team, in April, first issued a critical advisory detailing the exploitation of Ivanti Connect Secure bugs, tracked as CVE-2025-0282 and CVE-2025-22457, to deploy DslogdRAT and SPAWNCHIMERA malware variants.
Also read: DslogdRAT Malware Deployed in Ivanti Connect Secure Zero-Day Campaign
JPCERT/CC said it has continued to track the exploitation of these bugs but has additionally identified new malware variants, including the deployment of a cobalt strike beacon with the help of a loader that makes use of DLL side-loading.
The loader is based on the open-source project libPeConv and uses RC4 – a stream cipher known for its speed and simplicity – for decrypting data files, and its key derives from the MD5 hash value of executable files. This method requires the executable file, the loader, and the data file, for execution, and the attackers likely intended obfuscation using this method.
The other remote access trojan identified was “vshell.” Researchers said that its GitHub repository is no longer publicly available but “attackers have been observed using the Windows executable vshell version 4.6.0.” A very interesting functionality of this RAT was it particularly checked the system language and if it wasn’t Chinese, then proceeded further execution.
The last of the three payloads observed was “Fscan,” an open-source network scanning tool written in Go language. This tool was again deployed using DLL side-loading.
Post Exploitation of Ivanti Connect, Behavior of Attackers
JPCERT/CC also revealed the post internal network breach tactics of attackers, which included using brute-force attacks on AD, FTP, MSSQL, and SSH servers. They then scanned the internal systems, and exploited the SMB vulnerability MS17-010. With stolen credentials, they moved laterally via RDP and SMB, deploying malware across systems.
The attackers also created new domain accounts, added them to groups to maintain access, and registered malware as services or scheduled tasks to ensure it ran at startup or on triggers. For evading EDR detection, they used a loader based on FilelessRemotePE to execute malware via legitimate files, bypassing ETW logging in ntdll.dll. The Japanese cyber defenders have provided more detailed tactics, techniques and procedures in their technical advisory released today.
Ivanti devices are not just used by the private sector entities but are also popular amongst government agencies. However, the popularity has made it a prime target as well. The impacted organizations from previous Ivanti bugs includes the US Cybersecurity and Infrastructure Security Agency and several Australian enterprises.
JPCERT/CC said, “These attacks have persisted since December 2024 and are expected to remain active, particularly those aimed at VPN devices like Ivanti Connect Secure.”
