DslogdRAT Malware Installed in Ivanti Connect Secure

April 28, 2025, 7:20 p.m.

Description

The article discusses a malware called DslogdRAT, which was installed on Ivanti Connect Secure systems by exploiting CVE-2025-0282. The malware communicates with a C2 server during business hours to avoid detection. It uses a web shell for initial access and supports various commands for file operations, shell execution, and proxy functionality. The article details the malware's execution flow, configuration data, and communication method. Additionally, SPAWNSNARE malware was found on the same compromised systems. The attacks are potentially linked to the UNC5221 threat group, and organizations are advised to monitor for ongoing threats targeting Ivanti Connect Secure vulnerabilities.

External References

https://blogs.jpcert.or.jp/en/2025/04/dslogdrat.html
https://otx.alienvault.com/pulse/680fac65e0a2e6c1cce8b778
Tags
zero-day
c2 communication
web shell
CVE-2025-0282
CVE-2025-22457
spawnsnare
ivanti connect secure
2025-04-28
spawnchimera
dslogdrat

Date

  • Created: April 28, 2025, 4:27 p.m.
  • Published: April 28, 2025, 4:27 p.m.
  • Modified: April 28, 2025, 7:20 p.m.

Attack Patterns

  • DslogdRAT
  • UNC5221

Additional Informations

  • Japan