Chinese Nexus Hackers Actively Target Ivanti Endpoint Manager Mobile Flaw

Ivanti urgently disclosed two critical vulnerabilities, CVE-2025-4427 and CVE-2025-4428, impacting Ivanti Endpoint Manager Mobile (EPMM) up to version 12.5.0.0.

These flaws when chained enable unauthenticated remote code execution (RCE) on exposed systems, presenting a high-value avenue for cyber-espionage.

Since their disclosure, EclecticIQ analysts have identified active exploitation campaigns targeting internet-facing Ivanti EPMM deployments worldwide, with initial activity traced to the day of Ivanti’s public notification.

Weaponization of Zero-Day Vulnerabilities by UNC5221

These campaigns have been attributed with high confidence to UNC5221, a China-nexus espionage group recognized for leveraging zero-day exploits on edge appliances.

UNC5221’s operational sophistication is evidenced by its extensive knowledge of EPMM internals and adept repurposing of legitimate system components to enable stealthy, persistent access and data theft across critical verticals such as healthcare, government, finance, aviation, and defense.

The group has demonstrated a particular affinity for extracting large volumes of personally identifiable information (PII), authentication tokens, credentials, and enterprise cloud access tokens, facilitating lateral movement and persistent threat within compromised environments.

The initial infection vector involves targeting the /mifs/rs/api/v2/ endpoint, manipulating the ?format= parameter to inject malicious Java code.

The attackers exploit Java Reflection APIs to invoke system-level commands (e.g., using "".getClass().forName("java.lang.Runtime").getMethod("getRuntime")...exec() constructs), reliably executing arbitrary commands and establishing an interactive reverse shell.

These methods are coupled with reflective techniques to capture command output, forming a covert command-and-control (C2) channel directly over HTTP.

Persistence and Post-Exploitation

Once inside, UNC5221 deploys the “KrustyLoader” malware, typically fetched from malicious Amazon S3 buckets.

Tools like wget, curl, or fetch are used to download the loader to /tmp/1, granting persistence and further foothold.

KrustyLoader is engineered to retrieve and decrypt a second-stage payload: a Sliver backdoor (commonly encrypted with AES-128-CFB and XOR).

The payload is decrypted in memory and executed as shellcode, creating a reliable and evasive remote access mechanism.

The malware infrastructure relies on a network of AWS S3 buckets for payload delivery and command staging.

Once operational, the loader downloads a further encrypted implant (an ELF binary), decrypting and injecting it into memory to evade disk-based detection.

This multi-stage post-exploitation architecture enables continuous adversarial presence even after patching initial vulnerabilities.

Upon establishing control, the threat actors harvest sensitive operational data from Ivanti EPMM’s backend databases.

They exploit hardcoded MySQL credentials stored at /mi/files/system/.mifpp a critical security misstep gaining direct access to the “mifs” database.

This database contains device telemetry, user and LDAP mappings, mobile device details, and Office 365/Azure tokens.

Using tailored shell scripts (often downloaded from dpaste[.]com), attackers dump and exfiltrate authentication credentials, tokens, and sensitive enterprise data, enabling deep reconnaissance and further compromise of internal resources.

For lateral movement and network reconnaissance, UNC5221 deploys the Fast Reverse Proxy (FRP) tool, downloaded from attacker infrastructure (e.g., 103.244.88[.]125).

FRP establishes a SOCKS5 proxy from the compromised system, allowing intruders to conduct internal recon (using utilities like Nmap) as if they were physically inside the organization’s perimeter, paving the way for lateral movement and escalation.

Adversaries also carry out advanced reconnaissance by exfiltrating outputs of system enumeration commands, obfuscated as benign-looking images to evade security controls.

The campaign’s infrastructure spanning Chinese-hosted IP addresses (e.g., 27.25.148[.]183, previously tied to SAP NetWeaver exploits) and C2 domains (including those associated with the Auto-Color Linux backdoor) reinforces attribution to China-aligned cyber operators.

EclecticIQ notes clear tradecraft continuity, including reuse of IP addresses, payload delivery mechanisms, and TTPs observed in past UNC5221 operations.

Victims of this campaign span a global spectrum: municipal and healthcare entities in Europe (including the UK and Germany), healthcare and manufacturing in North America, and financial and automotive organizations in Asia-Pacific.

Compromised EPMM systems pose a grave risk, given their central administrative role in mobile device management, exposing entire fleets to compromise and enabling attackers to harvest enterprise-wide credentials, device metadata, and access tokens.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.