China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) Vulnerability

EclecticIQ reports that two critical Ivanti EPMM vulnerabilities (CVE-2025-4427 and CVE-2025-4428) were actively exploited starting May 15, 2025, by a China-nexus espionage group to achieve unauthenticated RCE on internet-facing EPMM servers; attackers deployed KrustyLoader which staged an AES-encrypted Sliver backdoor, used FRP and Auto-Color for lateral access and beaconing, exfiltrated sensitive device and credential data (including Office365 tokens and LDAP data), and abused public AWS S3 buckets for payload hosting; patches and detection IOCs are provided.