Malware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities
ID: e375aa3c-3708-5933-adaf-5f1f2be4402a
STIX ID: report--e375aa3c-3708-5933-adaf-5f1f2be4402a
Feed Name: JPCERT Blog
Threat Score
JPCERT/CC reports ongoing exploitation of Ivanti Connect Secure vulnerabilities (CVE-2025-0282, CVE-2025-22457) enabling initial access since Dec 2024; attackers deploy loaders (MDifyLoader, python311.dll) to run Cobalt Strike Beacon, vshell RAT and Fscan in-memory, use brute-force and SMB exploits for lateral movement, create domain accounts for persistence, and employ ETW/EDR evasion — the report includes malware hashes, C2 hosts and full Beacon/vshell configs.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.