Malware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities

July 18, 2025, 9:21 a.m.

Description

The article details malware and tactics used in attacks targeting Ivanti Connect Secure vulnerabilities from December 2024 to July 2025. It describes MDifyLoader, a loader based on libPeConv, which deploys Cobalt Strike Beacon through DLL side-loading. The attackers also utilized vshell, a multi-platform RAT, and Fscan, a network scanning tool. After gaining initial access, the threat actors performed lateral movement using brute-force attacks, exploited vulnerabilities, and used stolen credentials. They established persistence by creating domain accounts and registering malware as services or scheduled tasks. The attackers employed various evasion techniques, including the use of legitimate files and ETW bypasses.

External References

https://blogs.jpcert.or.jp/en/2025/07/ivanti_cs.html
https://otx.alienvault.com/pulse/6879f8b560d48aaf15291507
Tags
cobalt strike
cobalt strike beacon
fscan
vshell
ivanti connect secure
2025-07-18
mdifyloader

Date

  • Created: July 18, 2025, 7:33 a.m.
  • Published: July 18, 2025, 7:33 a.m.
  • Modified: July 18, 2025, 9:21 a.m.

Attack Patterns

  • MDifyLoader
  • vshell
  • Fscan
  • Cobalt Strike Beacon