June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
SAP NetWeaver Zero-Day Enables Webshell Deployment – Active IOCs
April 25, 2025
Stealc Information Stealer Malware – Active IOCs
April 26, 2025
SAP NetWeaver Zero-Day Enables Webshell Deployment – Active IOCs
April 25, 2025
Stealc Information Stealer Malware – Active IOCs
April 26, 2025
Severity
High
Analysis Summary
Cybersecurity researchers have uncovered a new malware called DslogdRAT, deployed through the exploitation of a now-patched zero-day vulnerability in Ivanti Connect Secure (ICS). The flaw, tracked as CVE-2025-0282, allowed unauthenticated remote code execution and was patched in January 2025. However, it had already been exploited in attacks against organizations in Japan in December 2024.
According to researchers, the attacks involved deploying a Perl-based web shell following the initial exploit, which then facilitated the installation of DslogdRAT and other malicious tools. DslogdRAT establishes a socket connection to a command-and-control server, sending system information and awaiting further instructions. It can execute shell commands, transfer files, and turn infected systems into proxies.
The zero-day was also used by a Chinese state-linked threat actor known as UNC5337 to deliver a malware suite known as SPAWN, as well as other tools like DRYHOOK and PHASEJAM. Although the use of DslogdRAT has not been definitively linked to the same campaign, the attack vector is similar.
Further developments include the use of another ICS vulnerability, CVE-2025-22457, by a separate Chinese threat group, UNC5221, to spread new SPAWN variants such as SPAWNCHIMERA and RESURGE.
The situation has escalated with threat intelligence firm reporting a ninefold increase in suspicious scanning activity targeting ICS and Ivanti Pulse Secure (IPS) appliances. Over 1,000 unique IP addresses have been involved in scanning within the past 90 days, with 255 flagged as malicious—many originating from TOR exit nodes and obscure hosting providers. The United States, Germany, and the Netherlands were identified as the top sources. The surge suggests coordinated reconnaissance efforts, likely in preparation for future exploitation campaigns.
Impact
- Remote Code Execution
- Data Exfiltration
Indicators of Compromise
IP
- 185.220.101.59
- 195.211.191.127
- 62.106.66.199
- 213.109.147.116
- 195.47.238.177
- 185.231.102.51
- 142.93.230.252
- 185.220.100.254
- 142.93.145.251
- 195.123.225.26
- 104.194.144.103
- 65.49.1.233
- 65.49.1.227
- 152.32.208.9
MD5
8cc9178466ef91c7c0fb795c5ab58c21
6e01ef1367ea81994578526b3bd331d6
SHA-256
1dd64c00f061425d484dd67b359ad99df533aa430632c55fa7e7617b55dab6a8
b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d
SHA1
afe961a25a74bb9ff5bcc41e8ddb2c50b952e8b0
09eb513f284771461bcdc16ee28d31ce8bbe74e0
Remediation
- Apply the latest security patches for Ivanti Connect Secure and Pulse Secure appliances, including CVE-2025-0282 and CVE-2025-22457.
- Block all threat indicators at your respective controls.
- Monitor systems for indicators of compromise (IOCs) related to DslogdRAT, SPAWN variants, and Perl-based web shells.
- Inspect and remove unauthorized web shells or unknown scripts from ICS environments.
- Deploy network monitoring tools to detect unusual outbound connections or socket-based C2 traffic.
- Restrict external access to management interfaces of ICS/IPS devices via firewall rules or VPNs.
- Use intrusion detection and prevention systems (IDS/IPS) to identify and block exploit attempts.
- Conduct threat hunting and forensic analysis on potentially affected systems.
- Enforce multi-factor authentication (MFA) on all remote access points.
- Audit and minimize the use of privileged accounts across networked systems.
- Subscribe to threat intelligence feeds to stay informed about evolving attacker tactics and newly exploited vulnerabilities.
