Threat Actors Leverage Ivanti Connect Secure Vulnerabilities to Deploy Cobalt Strike Beacon

Cybersecurity analysts have observed sustained exploitation campaigns targeting unpatched Ivanti Connect Secure VPN appliances.

Threat actors have actively leveraged newly disclosed vulnerabilities CVE-2025-0282 and CVE-2025-22457 to breach enterprise networks and deploy sophisticated malware, including the notorious Cobalt Strike Beacon.

The Japanese CERT Coordination Center (JPCERT/CC) has issued a detailed report outlining the deployment techniques, malware families, and operational tradecraft witnessed through July 2025, highlighting the advanced methodologies attackers now use to evade detection and maintain persistent access.

Custom Malware Deployment

Investigations detail a complex infection chain, beginning with exploitation of the VPN’s remote access flaws.

Attackers first establish a beachhead utilizing legitimate system binaries such as rmic.exe or push_detect.exe which are abused to sideload a custom loader called MDifyLoader.

Based on the open-source libPeConv project, MDifyLoader consumes an encrypted payload and decrypts it in-memory using an RC4 key derived from the MD5 hash of an accompanying executable.

This convoluted three-file requirement (legitimate binary, loader DLL, and encrypted payload) is likely designed to hinder both automated and static malware analysis.

Upon decryption, MDifyLoader loads Cobalt Strike Beacon v4.5 directly into system memory, making forensics especially challenging.

Technical analysis also shows significant junk code injection and obfuscation within the loader randomized function calls and variable assignments impede dynamic and static unpacking by researchers.

Notably, unlike standard implementations where configurations are XOR-decoded, this campaign utilized RC4 encryption with the hardcoded key “google” for its Beacon configs, indicating a custom twist aimed at bypassing signature-based detections.

Emergence of Vshell RAT

Parallel to Cobalt Strike activity, the attackers deployed the Golang-based vshell RAT (version 4.6.0) on compromised endpoints.

A notable operational blunder revealed the tool’s built-in language check for Chinese locale, as repeated execution attempts failed until a compatible environment was found implying development or test code was inadvertently shipped in the wild.

Reconnaissance and lateral movement are facilitated by a heavily modified, fileless variant of the Fscan network scanner.

Using python.exe to sideload a malicious python311.dll developed from FilelessRemotePE, attackers loaded an RC4-encrypted Fscan executable (“k.bin”) directly into memory, bypassing disk-based detections.

An ETW bypass embedded in the loader further disables Windows telemetry, highlighting an EDR-aware attack.

Following initial breach, actors conduct broad internal reconnaissance, leveraging brute-force attacks against Active Directory, SMB, FTP, MSSQL, and SSH to accumulate valid credentials.

Exploitation of the notorious MS17-010 (EternalBlue) SMB vulnerability persists as a preferred lateral movement method.

Using newly obtained credentials, attackers move laterally via RDP and SMB, dropping additional malware as they pivot.

Persistence is ensured through the creation and group-assignment of new domain accounts, malware registration as system services, and scheduled task configuration. These measures are taken to maintain access even if initial compromise vectors are remediated.

Throughout, attackers employ extensive defense evasion tactics: continual masquerading using legitimate binaries, aggressive log and artifact deletion, and deobfuscation-resistant loader design.

The observed campaign underscores the urgent need to patch vulnerable VPN appliances, monitor for anomalous lateral movement, and hunt for malicious sideloading activity. Below are key indicators to assist defenders in threat hunting:

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates