THREAT OPS › Threat News › Malware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities
Malware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities
<p>JPCERT/CC Eyes previously introduced the malware <a href="https://blogs.jpcert.or.jp/en/2025/02/spawnchimera.html" target="_blank">SPAWNCHIMERA</a> and <a href="https://blogs.jpcert.or.jp/en/2025/04/dslogdrat.html" target="_blank">DslogdRAT</a>, which were deployed by exploiting vulnerabilities in Ivanti Connect Secure. At JPCERT/CC, we have continued to observe active exploitation of these vul
MITRE ATT&CK techniques
- Scheduled TaskT1053.005
- Password GuessingT1110.001
- Create or Modify System ProcessT1543
- External Remote ServicesT1133
- Domain AccountT1087.002
- Windows ServiceT1543.003
- VulnerabilitiesT1588.006
- Scheduled Task/JobT1053
- Deobfuscate/Decode Files or InformationT1140
- MasqueradingT1036
- SMB/Windows Admin SharesT1021.002
- Account DiscoveryT1087
- Domain AccountT1136.002
- Exploitation of Remote ServicesT1210
- Account ManipulationT1098
- Encrypted ChannelT1573
- CredentialsT1589.001
- Domain AccountsT1078.002
- File DeletionT1070.004
- Create AccountT1136
- Remote Desktop ProtocolT1021.001
- MasqueradingAML.T0074
Indicators of compromise
- 0cbf71efa09ec4ce62d95c1448553314728ed5850720c8ad40352bfbb39be99asha256
- 699290a753f35ae3f05a7ea1984d95f6e6f21971a146714fca5708896e5e6218sha256
- cff2afc651a9cba84a11a4e275cc9ec49e29af5fd968352d40aeee07fb00445esha256
- a747be292339eae693b7c26cac0d33851cba31140fd0883371cc8de978583dbesha256
- f12250a43926dba46dcfb6145b7f1a524c0eead82bd1a8682307d1f2f1f1e66fsha256
- 45ecb7b23b328ab762d8519e69738a20eb0cd5618a10abb2c57a9c72582aa7e7sha256
- 9e91862b585fc4d213e9aaadd571435c1a007d326bd9b07b72dbecb77d1a27acsha256
- 09087fc4f8c261a810479bb574b0ecbf8173d4a8365a73113025bd506b95e3d7sha256
- 1652ab693512cd4f26cc73e253b5b9b0e342ac70aa767524264fef08706d0e69sha256
- 48f3915fb8d8ad39dc5267894a950efc863bcc660f1654187b3d77a302fd040fsha256
- 54350d677174269b4dc25b0ccfb0029d6aeac5abbbc8d39eb880c9fd95691125sha256
- 85f9819118af284e6b00ce49fb0c85ff0c0b9d7a0589e1bb56a275ed91314965sha256
- e880c4268fb48aebc5510e02f49d3bcemd5
- 492cdc5bc3d8cc5e6440a0da246f6684md5
- CVE-2025-0282cve
- CVE-2025-22457cve
- http://10.71.30.140:8080url
- 172.237.6.207ipv4
- 120.0.0.0ipv4
- proxy.objectlook.comdomain
- api.openedr.eu.orgdomain
- community.openedr.eu.orgdomain
- query.datasophos.comdomain
Original source: https://blogs.jpcert.or.jp/en/2025/07/ivanti_cs.html