{ "id": "e7fbe9cb-ff58-400e-b540-67bb9e4bdded", "created_at": "2026-04-29T02:21:36.727179Z", "updated_at": "2026-04-29T08:22:53.510957Z", "deleted_at": null, "sha1_hash": "a6b6d6b537618c46f4c5416b0bdef5612cc88bdf", "title": "SPAWNCHIMERA Malware: The Chimera Spawning from Ivanti Connect Secure Vulnerability - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1382860, "plain_text": "SPAWNCHIMERA Malware: The Chimera Spawning from Ivanti\r\nConnect Secure Vulnerability - JPCERT/CC Eyes\r\nBy 増渕 維摩(Yuma Masubuchi)\r\nPublished: 2025-02-19 · Archived: 2026-04-29 02:11:26 UTC\r\nFebruary 20, 2025\r\nIn January 2025, Ivanti published an advisory[1] regarding the vulnerability CVE-2025-0282 in Ivanti Connect\r\nSecure. JPCERT/CC has confirmed multiple cases of this vulnerability being exploited in Japan since late\r\nDecember 2024, prior to the disclosure of the vulnerability, and published a security alert[2]. This vulnerability\r\nhas already been used by multiple attack groups.\r\nAmong these cases, JPCERT/CC has confirmed that SPAWN malware family[3][4], which infects after exploiting\r\nthe vulnerability, according to a report by Google, had been updated. This article explains the updated malware\r\nfamily (hereafter referred to as “SPAWNCHIMERA”).\r\nOverview of SPAWNCHIMERA’s behavior\r\nFigure 1 shows an overview of SPAWNCHIMERA’s behavior. It is malware with the functions of SPAWNANT,\r\nSPAWNMOLE, and SPAWNSNAIL all updated and integrated. Therefore, there is no significant difference in the\r\nway malware is installed or injected into other processes compared to SPAWN family reported by Google[4]. On\r\nthe other hand, as shown in Figure 1, SPAWNCHIMERA can be injected into various processes and run in each of\r\nthem. The major changes are as follows.\r\nChange in inter-process communication\r\nFunction to fix vulnerability CVE-2025-0282\r\nNew decode functions added\r\nDeleted debug message\r\nhttps://blogs.jpcert.or.jp/en/2025/02/spawnchimera.html\r\nPage 1 of 8\n\nFigure 1: Flow of SPAWNCHIMERA’s behavior.\r\nInter-process communication through UNIX domain sockets\r\nIn the previous SPAWN family, the malicious traffic received by SPAWNMOLE was sent to port 8300 on\r\n127.0.0.1, and SPAWNSNAIL processed it. With the abovementioned update, this inter-process communication\r\nmethod was altered to use UNIX domain socket. It is created in the below path, and malicious traffic is sent and\r\nreceived between SPAWNCHIMERA injected into the web process and that injected into the dsmdm process.\r\nThis change made it more difficult to detect the malware, as netstat command results from the Integrity Checker\r\nTool (ICT) may not be displayed.\r\n/home/runtime/tmp/.logsrv\r\nFunction to fix the vulnerability CVE-2025-0282\r\nSPAWNCHIMERA has a new function to fix the CVE-2025-0282 vulnerability. CVE-2025-0282 is a buffer\r\noverflow vulnerability[5] caused by the strncpy function, and the malware dynamically fixes it by hooking the\r\nstrncpy function and limiting the copy size to 256. Figure 2 shows the replaced strncpy function.\r\nSPAWNCHIMERA converts its process name to hexadecimal and verifies the added value. The fix is triggered\r\nwhen the process name is \"web\" The fix is programmed to be disabled when the first byte of the source copied to\r\nthe strncpy function matches 0x04050203. Due to this function, if another attacker uses this vulnerability to\r\nattempt penetration or executes a PoC[6] for scanning purposes, the attack may not succeed.\r\nhttps://blogs.jpcert.or.jp/en/2025/02/spawnchimera.html\r\nPage 2 of 8\n\nFigure 2: The strncpy function replaced through hook\r\nNew decode functions added\r\nIn the previous samples, the private key for SSH server functionality was hardcoded in plaintext within the\r\nsamples and exported to /tmp/.dskey. On the other hand, in SPAWNCHIMERA, it is now encoded and hardcoded\r\nwithin the sample. The key is used after being decoded with an XOR-based decode function. Since it is not\r\nexported as a file, traces are less likely to be left. The decoded private key is shown below.\r\n-----BEGIN OPENSSH PRIVATE KEY-----\r\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\r\nQyNTUxOQAAACB5yHbNy5qrd638t2dCLQ08TJb3D8m0+vifkGmBRho6+QAAAJB08wxcdPMM\r\nhttps://blogs.jpcert.or.jp/en/2025/02/spawnchimera.html\r\nPage 3 of 8\n\nXAAAAAtzc2gtZWQyNTUxOQAAACB5yHbNy5qrd638t2dCLQ08TJb3D8m0+vifkGmBRho6+Q\r\nAAAEBqjrwB7thqk5LnigfsE8EqlKrmWNhy82k5GTV8BBVlDXnIds3Lmqt3rfy3Z0ItDTxM\r\nlvcPybT6+J+QaYFGGjr5AAAACWthbGlAa2FsaQECAwQ=\r\n-----END OPENSSH PRIVATE KEY-----\r\nAdditionally, while the previous sample identified malicious traffic in replaced accept function, by matching a\r\npart of the received buffer with a hard-coded value, SPAWNCHIMERA has a new decode function and determines\r\nwhether the traffic is malicious based on its calculation result. The decode function is shown in Figure 3.\r\nFigure 3: Decode function used to identify malicious traffic\r\nDeleted debug message\r\nWhile there are only minor differences in functionality between the previous SPAWNSLOTH and that dropped by\r\nSPAWNCHIMERA, some functions related to debug messages were deleted from the entire sample, possibly with\r\nthe aim of complicating analysis and preventing hunting. This modification is also seen in the main sample of\r\nSPAWNCHIMERA. Figure 4 shows an example of the deleted functions.\r\nhttps://blogs.jpcert.or.jp/en/2025/02/spawnchimera.html\r\nPage 4 of 8\n\nFigure 4: Deleted debug message (left: previous version, right: current version)\r\nIn closing\r\nSPAWNCHIMERA has evolved into more sophisticated malware by changing various functions of SPAWN\r\nfamily in a way that leaves less traces, and SPAWN family is expected to remain in use. We hope that the\r\ninformation in this article will help your malware analysis. The hash values and file paths of the confirmed\r\nmalware are listed in the Appendix.\r\nYuma Masubuchi\r\n(Translated by Takumi Nakano)\r\nReferences\r\n[1] Ivanti\r\nSecurity Advisory Ivanti Connect Secure, Policy Secure \u0026 ZTA Gateways (CVE-2025-0282, CVE-2025-0283)\r\nhttps://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US\r\n[2] JPCERT/CC\r\nIvanti Connect Secureなどにおける脆弱性(CVE-2025-0282)に関する注意喚起\r\nhttps://www.jpcert.or.jp/at/2025/at250001.html\r\n[3] Google\r\nIvanti Connect Secure VPN Targeted in New Zero-Day Exploitation\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day/?hl=en\r\nhttps://blogs.jpcert.or.jp/en/2025/02/spawnchimera.html\r\nPage 5 of 8\n\n[4] Google\r\nCutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en\r\n[5] watchTowr Labs\r\nDo Secure-By-Design Pledges Come With Stickers? - Ivanti Connect Secure RCE (CVE-2025-0282)\r\nhttps://labs.watchtowr.com/do-secure-by-design-pledges-come-with-stickers-ivanti-connect-secure-rce-cve-2025-\r\n0282/\r\n[6] Stephen Fewer\r\nCVE-2025-0282.rb\r\nhttps://github.com/sfewer-r7/CVE-2025-0282/blob/main/CVE-2025-0282.rb\r\nAppendix A: Hash values of the malware\r\nSPAWNCHIMERA 94b1087af3120ae22cea734d9eea88ede4ad5abe4bdeab2cc890e893c09be955\r\nSPAWNSLOTH 9bdf41a178e09f65bf1981c86324cd40cb27054bf34228efdcfee880f8014baf\r\nAppendix B: File paths of the malware confirmed\r\nSPAWNCHIMERA /lib/libdsupgrade.so\r\nSPAWNSLOTH /tmp/.liblogblock.so\r\n増渕 維摩(Yuma Masubuchi)\r\nYuma has been engaged in malware analysis in JPCERT/CC Cyber Security Coordination Group since 2020.\r\nRelated articles\r\nhttps://blogs.jpcert.or.jp/en/2025/02/spawnchimera.html\r\nPage 6 of 8\n\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nhttps://blogs.jpcert.or.jp/en/2025/02/spawnchimera.html\r\nPage 7 of 8\n\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2025/02/spawnchimera.html\r\nhttps://blogs.jpcert.or.jp/en/2025/02/spawnchimera.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://blogs.jpcert.or.jp/en/2025/02/spawnchimera.html" ], "report_names": [ "spawnchimera.html" ], "threat_actors": [ { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-29T06:58:56.562372Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f88b16bc-df4b-48e7-ae35-f4117240ff24", "created_at": "2022-10-25T15:50:23.556699Z", "updated_at": "2026-04-29T06:58:57.760154Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Chimera" ], "source_name": "MITRE:Chimera", "tools": [ "PsExec", "esentutl", "Mimikatz", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-29T06:58:57.773042Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null }, { "id": "3da47784-d268-47eb-9a0d-ce25fdc605c0", "created_at": "2025-08-07T02:03:24.692797Z", "updated_at": "2026-04-29T06:58:57.56939Z", "deleted_at": null, "main_name": "BRONZE VAPOR", "aliases": [ "Chimera ", "DEV-0039 ", "Thorium ", "Tumbleweed Typhoon " ], "source_name": "Secureworks:BRONZE VAPOR", "tools": [ "Acehash", "CloudDrop", "Cobalt Strike", "Mimikatz", "STOCKPIPE", "Sharphound", "Watercycle" ], "source_id": "Secureworks", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-29T06:58:57.814862Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429296, "ts_updated_at": 1777450973, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a6b6d6b537618c46f4c5416b0bdef5612cc88bdf.pdf", "text": "https://archive.orkl.eu/a6b6d6b537618c46f4c5416b0bdef5612cc88bdf.txt", "img": "https://archive.orkl.eu/a6b6d6b537618c46f4c5416b0bdef5612cc88bdf.jpg" } }