A new wave of attacks targeting Ivanti Connect Secure appliances has been observed, with threat actors exploiting a previously unknown zero-day vulnerability, tracked as CVE-2025-0282, to compromise organizations in Japan during December 2024.
The campaign, detailed in a recent report by JPCERT/CC, highlights the evolving landscape of malware targeting enterprise remote access infrastructure, following earlier incidents involving the SPAWNCHIMERA malware.
Web Shell Used as an Initial Access Point
Attackers were found to deploy a simple yet effective Perl-based web shell as an initial foothold.
The script, executed as a CGI file, examines incoming HTTP requests for a specific cookie value (DSAUTOKEN=af95380019083db5), executing arbitrary system commands if matched.
This mechanism enabled remote attackers to run their payloads on compromised systems with minimal complexity, bypassing many traditional defenses.
The web shell likely served as the launchpad for subsequent malware installation and command execution, including the deployment of DslogdRAT.
DslogdRAT: Multi-Stage RAT with Time-Based Evasion
DslogdRAT, a remote access trojan identified on affected systems, demonstrates a multi-stage execution flow.
Upon initial launch, the primary process spawns a child, then terminates itself, enabling the child process to decode embedded configuration data and create a second child process.
Notably, the first child maintains persistence by entering a continuous sleep loop, while the second child executes the RAT’s core capabilities.
These include establishing socket-based communications with a command-and-control (C2) server, launching a worker thread using the pthread library, and executing commands received from the attacker.
Analysis reveals that the DslogdRAT configuration, hardcoded and XOR-encoded with the value 0x63, limits active communication to business hours (8:00 AM to 8:00 PM), likely as an anti-detection measure.
The intention appears to be minimizing suspicious activity outside regular work hours, thereby reducing the likelihood of security monitoring tools detecting anomalous behavior.
DslogdRAT’s C2 communication involves a custom encoding scheme, where data is XOR’d in 7-byte blocks with incrementing keys from 0x01 to 0x07.
During the initial handshake, the malware transmits key system details in a prescribed format to the attacker infrastructure.
Supported RAT commands empower attackers with capabilities for file transfer, shell command execution, proxying network traffic, and more, facilitating both initial exploitation and long-term persistence.
In addition to DslogdRAT, forensic analysis identified the presence of SPAWNSNARE malware on the same compromised hosts.
This malware had been previously reported by CISA and Google in April 2025 and is associated with the broader SPAWN malware family, believed to be operated by the threat group UNC5221.
However, it remains unconfirmed whether the DslogdRAT attacks are directly linked to this same campaign.
The exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances underscores the persistent targeting of remote access infrastructure by sophisticated threat actors.
JPCERT/CC has issued warnings regarding further vulnerabilities (such as CVE-2025-22457) and urges continued vigilance as attacks show no sign of abating.
Organizations are advised to monitor for signs of compromise, apply security patches promptly, and remain alert to the evolving tactics and tooling used by attackers exploiting remote access platforms.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
