{ "id": "6181460d-b780-487a-8c63-9c14dcdfb1f1", "created_at": "2026-04-06T00:15:52.707471Z", "updated_at": "2026-04-10T13:12:15.620598Z", "deleted_at": null, "sha1_hash": "c7de8c64b54cbe26356a550ac81c176bcb0c6576", "title": "Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75866, "plain_text": "Suspected China-Nexus Threat Actor Actively Exploiting Critical\r\nIvanti Connect Secure Vulnerability (CVE-2025-22457)\r\nBy Mandiant\r\nPublished: 2025-04-03 · Archived: 2026-04-02 11:17:01 UTC\r\nWritten by: John Wolfram, Michael Edie, Jacob Thompson, Matt Lin, Josh Murchie\r\nOn Thursday, April 3, 2025, Ivanti disclosed a critical security vulnerability, CVE-2025-22457, impacting Ivanti\r\nConnect Secure (“ICS”) VPN appliances version 22.7R2.5 and earlier. CVE-2025-22457 is a buffer overflow\r\nvulnerability, and successful exploitation would result in remote code execution. Mandiant and Ivanti have\r\nidentified evidence of active exploitation in the wild against ICS 9.X (end of life) and 22.7R2.5 and earlier\r\nversions. Ivanti and Mandiant encourage all customers to upgrade as soon as possible. \r\nThe earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025. Following\r\nsuccessful exploitation, we observed the deployment of two newly identified malware families, the\r\nTRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Additionally, deployment of the\r\npreviously reported SPAWN ecosystem of malware attributed to UNC5221 was also observed. UNC5221 is a\r\nsuspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge\r\ndevices dating back to 2023.\r\nA patch for CVE-2025-22457 was released in ICS 22.7R2.6 on February 11, 2025. The vulnerability is a buffer\r\noverflow with a limited character space, and therefore it was initially believed to be a low-risk denial-of-service\r\nvulnerability. We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and\r\nuncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code\r\nexecution.\r\nIvanti released patches for the exploited vulnerability and Ivanti customers are urged to follow the actions in the\r\nSecurity Advisory to secure their systems as soon as possible.\r\nPost-Exploitation Tactics, Techniques, and Procedures\r\nFollowing successful exploitation, Mandiant observed the deployment of two newly identified malware families\r\ntracked as TRAILBLAZE and BRUSHFIRE through a shell script dropper. Mandiant has also observed the\r\ndeployment of the SPAWN ecosystem of malware. Additionally, similar to previously observed behavior, the actor\r\nattempted to modify the Integrity Checker Tool (ICT) in an attempt to evade detection.  \r\nShell-script Dropper\r\nFollowing successful exploitation of CVE-2025-22457, Mandiant observed a shell script being leveraged that\r\nexecutes the TRAILBLAZE dropper. This dropper injects the BRUSHFIRE passive backdoor into a running\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability\r\nPage 1 of 6\n\n/home/bin/web process. The first stage begins by searching for a /home/bin/web process that is a child process\r\nof another /home/bin/web process (the point of this appears to be to inject into the web process that is actually\r\nlistening for connections). It then creates the the following files and associated content:\r\n/tmp/.p : contains the PID of the /home/bin/web process.\r\n/tmp/.m : contains a memory map of that process (human-readable).\r\n/tmp/.w : contains the base address of the web binary from that process\r\n/tmp/.s : contains the base address of libssl.so from that process\r\n/tmp/.r : contains the BRUSHFIRE passive backdoor\r\n/tmp/.i : contains the TRAILBLAZE dropper\r\nThe shell script then executes /tmp/.i , which is the second stage in-memory only dropper tracked as\r\nTRAILBLAZE. It then deletes all of the temporary files previously created (except for /tmp/.p ), as well as the\r\ncontents of the /data/var/cores directory. Next, all child processes of the /home/bin/web process are killed\r\nand the /tmp/.p file is deleted. All of this behavior is non-persistent, and the dropper will need to be re-executed\r\nif the system or process is rebooted.\r\nTRAILBLAZE\r\nTRAILBLAZE is an in-memory only dropper written in bare C that uses raw syscalls and is designed to be as\r\nminimal as possible, likely to ensure it can fit within the shell script as Base64. TRAILBLAZE injects a hook into\r\nthe identified /home/bin/web process. It will then inject the BRUSHFIRE passive backdoor into a code cave\r\ninside that process.\r\nBRUSHFIRE\r\nBRUSHFIRE is a passive backdoor written in bare C that acts as an SSL_read hook. It first executes the original\r\nSSL_read function, and checks to see if the returned data begins with a specific string. If the data begins with the\r\nstring, it will XOR decrypt then execute shellcode contained in the data. If the received shellcode returns a value,\r\nthe backdoor will call SSL_write to send the value back.\r\nSPAWNSLOTH\r\nAs detailed in our previous blog post, SPAWNSLOTH acts as a log tampering component tied to the\r\nSPAWNSNAIL backdoor. It targets the dslogserver process to disable both local logging and remote syslog\r\nforwarding.\r\nSPAWNSNARE\r\nSPAWNSNARE is a utility that is written in C and targets Linux. It can be used to extract the uncompressed linux\r\nkernel image (vmlinux) into a file and encrypt it using AES without the need for any command line tools.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability\r\nPage 2 of 6\n\nSPAWNWAVE\r\nSPAWNWAVE is an evolved version of SPAWNANT that combines capabilities from other members of the\r\nSPAWN* malware ecosystem. SPAWNWAVE overlaps with the publicly reported SPAWNCHIMERA and\r\nRESURGE malware families.\r\nAttribution\r\nGoogle Threat Intelligence Group (GTIG) attributes the exploitation of CVE-2025-22457 and the subsequent\r\ndeployment of the SPAWN ecosystem of malware to the suspected China-nexus espionage actor UNC5221. GTIG\r\nhas previously reported UNC5221 conducting zero-day exploitation of CVE-2025-0282, as well as the\r\nexploitation CVE-2023-46805 and CVE-2024-21887. \r\nFurthermore, GTIG has also previously observed UNC5221 conducting zero-day exploitation of CVE-2023-4966,\r\nimpacting NetScaler ADC and NetScaler Gateway appliances. UNC5221 has targeted a wide range of countries\r\nand verticals during their operations, and has leveraged an extensive set of tooling, spanning passive backdoors to\r\ntrojanized legitimate components on various edge appliances. \r\nGTIG assesses that UNC5221 will continue pursuing zero-day exploitation of edge devices based on their\r\nconsistent history of success and aggressive operational tempo. Additionally, as noted in our prior blog post\r\ndetailing CVE-2025-0282 exploitation, GTIG has observed UNC5221 leveraging an obfuscation network of\r\ncompromised Cyberoam appliances, QNAP devices, and ASUS routers to mask their true source during intrusion\r\noperations.\r\nConclusion\r\nThis latest activity from UNC5221 underscores the ongoing sophisticated threats targeting edge devices globally.\r\nThis campaign, exploiting the n-day vulnerability CVE-2025-22457, also highlights the persistent focus of actors\r\nlike UNC5221 on edge devices, leveraging deep device knowledge and adding to their history of using both zero-day and now n-day flaws. This activity aligns with the broader strategy GTIG has observed among suspected\r\nChina-nexus espionage groups who invest significantly in exploits and custom malware for critical edge\r\ninfrastructure.\r\nRecommendations \r\nMandiant recommends organizations immediately apply the available patch by upgrading Ivanti Connect Secure\r\n(ICS) appliances to version 22.7R2.6 or later to address CVE-2025-22457. Additionally organizations should use\r\nthe external and internal Integrity Checker Tool (“ICT”) and contact Ivanti Support if suspicious activity is\r\nidentified. To supplement this, defenders should actively monitor for core dumps related to the web process,\r\ninvestigate ICT statedump files, and conduct anomaly detection of client TLS certificates presented to the\r\nappliance.\r\nAcknowledgements\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability\r\nPage 3 of 6\n\nWe would like to thank Daniel Spicer and the rest of the team at Ivanti for their continued partnership and support\r\nin this investigation. Additionally, this analysis would not have been possible without the assistance from analysts\r\nacross Google Threat Intelligence Group and Mandiant’s FLARE, we would like to specifically thank Christopher\r\nGardner and Dhanesh Kizhakkinan of FLARE for their support.\r\nIndicators of Compromise\r\nTo assist the security community in hunting and identifying activity outlined in this blog post, we have included\r\nindicators of compromise (IOCs) in a GTI Collection for registered users.\r\nCode Family MD5 Filename Description\r\nTRAILBLAZE 4628a501088c31f53b5c9ddf6788e835 /tmp/.i In-memory dropper\r\nBRUSHFIRE e5192258c27e712c7acf80303e68980b /tmp/.r Passive backdoor\r\nSPAWNSNARE 6e01ef1367ea81994578526b3bd331d6 /bin/dsmain\r\nKernel extractor \u0026\r\nencryptor\r\nSPAWNWAVE ce2b6a554ae46b5eb7d79ca5e7f440da /lib/libdsupgrade.so Implant utility\r\nSPAWNSLOTH 10659b392e7f5b30b375b94cae4fdca0 /tmp/.liblogblock.so Log tampering utility\r\nYARA Rules\r\nrule M_APT_Installer_SPAWNANT_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects SPAWNANT. SPAWNANT is an\r\nInstaller targeting Ivanti devices. Its purpose is to persistently\r\ninstall other malware from the SPAWN family (SPAWNSNAIL,\r\nSPAWNMOLE) as well as drop additional webshells on the box.\"\r\n \r\n strings:\r\n $s1 = \"dspkginstall\" ascii fullword\r\n $s2 = \"vsnprintf\" ascii fullword\r\n $s3 = \"bom_files\" ascii fullword\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability\r\nPage 4 of 6\n\n$s4 = \"do-install\" ascii\r\n $s5 = \"ld.so.preload\" ascii\r\n $s6 = \"LD_PRELOAD\" ascii\r\n $s7 = \"scanner.py\" ascii\r\n \r\n condition:\r\n uint32(0) == 0x464c457f and 5 of ($s*)\r\n}\r\nrule M_Utility_SPAWNSNARE_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"SPAWNSNARE is a utility written in C that targets\r\nLinux systems by extracting the uncompressed Linux kernel image\r\ninto a file and encrypting it with AES.\"\r\n strings:\r\n $s1 = \"\\x00extract_vmlinux\\x00\"\r\n $s2 = \"\\x00encrypt_file\\x00\"\r\n $s3 = \"\\x00decrypt_file\\x00\"\r\n $s4 = \"\\x00lbb_main\\x00\"\r\n $s5 = \"\\x00busybox\\x00\"\r\n $s6 = \"\\x00/etc/busybox.conf\\x00\"\r\n condition:\r\n uint32(0) == 0x464c457f\r\n and all of them\r\n \r\n}\r\nrule M_APT_Utility_SPAWNSLOTH_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule to identify strings found in SPAWNSLOTH\"\r\n \r\n strings:\r\n $dslog = \"dslogserver\" ascii fullword\r\n $hook1 = \"g_do_syslog_servers_exist\" ascii fullword\r\n $hook2 = \"ZN5DSLog4File3addEPKci\" ascii fullword\r\n $hook3 = \"funchook\" ascii fullword\r\n \r\n condition:\r\n uint32(0) == 0x464c457f and all of them\r\n}\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability\r\nPage 5 of 6\n\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability" ], "report_names": [ "china-nexus-exploiting-critical-ivanti-vulnerability" ], "threat_actors": [ { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434552, "ts_updated_at": 1775826735, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c7de8c64b54cbe26356a550ac81c176bcb0c6576.pdf", "text": "https://archive.orkl.eu/c7de8c64b54cbe26356a550ac81c176bcb0c6576.txt", "img": "https://archive.orkl.eu/c7de8c64b54cbe26356a550ac81c176bcb0c6576.jpg" } }