Request a Demo
Rewterz
SAP NetWeaver Zero-Day Enables Webshell Deployment – Active IOCs
April 25, 2025
Rewterz
Stealc Information Stealer Malware – Active IOCs
April 26, 2025

DslogdRAT Deployed via Ivanti Connect Secure Exploit – Active IOCs

Severity

High

Analysis Summary

Cybersecurity researchers have uncovered a new malware called DslogdRAT, deployed through the exploitation of a now-patched zero-day vulnerability in Ivanti Connect Secure (ICS). The flaw, tracked as CVE-2025-0282, allowed unauthenticated remote code execution and was patched in January 2025. However, it had already been exploited in attacks against organizations in Japan in December 2024.

According to researchers, the attacks involved deploying a Perl-based web shell following the initial exploit, which then facilitated the installation of DslogdRAT and other malicious tools. DslogdRAT establishes a socket connection to a command-and-control server, sending system information and awaiting further instructions. It can execute shell commands, transfer files, and turn infected systems into proxies.

The zero-day was also used by a Chinese state-linked threat actor known as UNC5337 to deliver a malware suite known as SPAWN, as well as other tools like DRYHOOK and PHASEJAM. Although the use of DslogdRAT has not been definitively linked to the same campaign, the attack vector is similar.

Further developments include the use of another ICS vulnerability, CVE-2025-22457, by a separate Chinese threat group, UNC5221, to spread new SPAWN variants such as SPAWNCHIMERA and RESURGE.

The situation has escalated with threat intelligence firm reporting a ninefold increase in suspicious scanning activity targeting ICS and Ivanti Pulse Secure (IPS) appliances. Over 1,000 unique IP addresses have been involved in scanning within the past 90 days, with 255 flagged as malicious—many originating from TOR exit nodes and obscure hosting providers. The United States, Germany, and the Netherlands were identified as the top sources. The surge suggests coordinated reconnaissance efforts, likely in preparation for future exploitation campaigns.

Impact

  • Remote Code Execution
  • Data Exfiltration

Indicators of Compromise

IP

  • 185.220.101.59
  • 195.211.191.127
  • 62.106.66.199
  • 213.109.147.116
  • 195.47.238.177
  • 185.231.102.51
  • 142.93.230.252
  • 185.220.100.254
  • 142.93.145.251
  • 195.123.225.26
  • 104.194.144.103
  • 65.49.1.233
  • 65.49.1.227
  • 152.32.208.9

MD5

  • 8cc9178466ef91c7c0fb795c5ab58c21

  • 6e01ef1367ea81994578526b3bd331d6

SHA-256

  • 1dd64c00f061425d484dd67b359ad99df533aa430632c55fa7e7617b55dab6a8

  • b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d

SHA1

  • afe961a25a74bb9ff5bcc41e8ddb2c50b952e8b0

  • 09eb513f284771461bcdc16ee28d31ce8bbe74e0

Remediation

  • Apply the latest security patches for Ivanti Connect Secure and Pulse Secure appliances, including CVE-2025-0282 and CVE-2025-22457.
  • Block all threat indicators at your respective controls.
  • Monitor systems for indicators of compromise (IOCs) related to DslogdRAT, SPAWN variants, and Perl-based web shells.
  • Inspect and remove unauthorized web shells or unknown scripts from ICS environments.
  • Deploy network monitoring tools to detect unusual outbound connections or socket-based C2 traffic.
  • Restrict external access to management interfaces of ICS/IPS devices via firewall rules or VPNs.
  • Use intrusion detection and prevention systems (IDS/IPS) to identify and block exploit attempts.
  • Conduct threat hunting and forensic analysis on potentially affected systems.
  • Enforce multi-factor authentication (MFA) on all remote access points.
  • Audit and minimize the use of privileged accounts across networked systems.
  • Subscribe to threat intelligence feeds to stay informed about evolving attacker tactics and newly exploited vulnerabilities.