{ "id": "04d2e9ab-b642-4e5e-8624-0f3038a69b07", "created_at": "2026-04-29T02:21:24.098797Z", "updated_at": "2026-04-29T08:23:02.400348Z", "deleted_at": null, "sha1_hash": "fdaec515f3b87dca9740fb55f5dfb1de73671ea0", "title": "UNC5221’s Latest Exploit: Weaponizing CVE-2025-22457 in Ivanti Connect Secure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 95178, "plain_text": "UNC5221’s Latest Exploit: Weaponizing CVE-2025-22457 in Ivanti\r\nConnect Secure\r\nBy Sıla Özeren Hacıoğlu\r\nPublished: 2025-04-17 · Archived: 2026-04-29 02:12:34 UTC\r\nWho Is the China-Nexus Group UNC5221?\r\nUNC5221 is a suspected China-nexus cyber-espionage group known for aggressively targeting edge network\r\ndevices (VPNs, firewalls, routers) with zero-day exploits since at least 2023 [1]. The group has repeatedly\r\ncompromised Ivanti’s Pulse Connect Secure/Ivanti Connect Secure (ICS) VPN appliances through multiple\r\nvulnerabilities, demonstrating a knack for quickly leveraging new flaws. \r\nIn mid-March 2025, UNC5221 launched a fresh campaign exploiting a critical Ivanti Connect Secure vulnerability\r\n(CVE-2025-22457) to gain unauthorized access to organizations’ networks. This latest activity involves deploying\r\ncustom malware on compromised VPN appliances and aligns with a broader trend of Chinese state-sponsored\r\nattackers focusing on internet-facing infrastructure for espionage [2]. The campaign has impacted organizations\r\nglobally (including U.S.-based targets), underscoring the threat to government and enterprise networks.\r\nThe Ivanti Connect Secure Vulnerability (CVE-2025-22457) Explained\r\nOn April 3, 2025, Ivanti publicly disclosed CVE-2025-22457, a critical stack-based buffer overflow affecting\r\nIvanti Connect Secure VPN appliances (version 22.7R2.5 and earlier) [1]. The flaw also impacts related Ivanti\r\nproducts – Ivanti Policy Secure and Ivanti Zero Trust Access (ZTA) gateways – as well as legacy Pulse Connect\r\nSecure 9.x devices (which reached end-of-support in late 2024) [3]. \r\nInitially, Ivanti had mischaracterized this issue as a non-exploitable product bug due to the buffer being limited to\r\nonly certain characters (periods and numbers). It was first thought to pose at most a low-risk denial-of-service\r\ncondition [4]. A patch was quietly issued on February 11, 2025 (ICS version 22.7R2.6), without a CVE at the time\r\n[5].\r\nReassessment as Critical RCE\r\nIn reality, CVE-2025-22457 turned out to be exploitable for unauthenticated remote code execution (RCE). Ivanti\r\ndiscovered in late March that a determined attacker could weaponize this buffer overflow despite the character\r\ninput limitations. \r\nUNC5221 likely reverse-engineered Ivanti’s February patch – diffing the code changes in ICS 22.7R2.6 – to\r\nunderstand the underlying vulnerability and devise a sophisticated exploit that works on unpatched versions\r\n(22.7R2.5 and earlier). \r\nhttps://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure\r\nPage 1 of 11\n\nBy mid-March 2025, active exploitation in the wild was detected against vulnerable ICS 22.7R2.5 and Pulse\r\nSecure 9.x appliances. Ivanti subsequently upgraded the severity to CVSS 9.0 (Critical) and urged all customers to\r\nimmediately upgrade to the fixed version 22.7R2.6 or later. \r\nNotably, Ivanti reported that a “limited number of customers” running ICS 22.7R2.5 (or older) and Pulse 9.x were\r\nbreached, while no incidents had (yet) been observed on Policy Secure or ZTA gateways.\r\nNature of the Exploit\r\nCVE-2025-22457 arises from a memory buffer overflow in the ICS web service code. The exploit requires\r\ncrafting input within a restricted character set, making development non-trivial. \r\nUNC5221’s exploit likely involved careful manipulation of memory to achieve code execution without crashing\r\nthe service. According to security researchers, the adversary’s method was complex: by studying Ivanti’s patch,\r\nthey figured out a way to bypass the original input limitations and execute arbitrary code remotely. In practice, the\r\nattackers were seen sending repeated HTTP requests to a target appliance – likely probing for the ICS version or\r\nvulnerability state – before launching the exploit payload. Once successful, the exploit grants the attacker\r\nunauthenticated access to run code with high privileges on the VPN appliance, effectively opening the door to the\r\nvictim’s internal network.\r\nAnalyzing UNC5221's Advanced Tactics, Techniques, and Procedures (TTPs)\r\nAfter exploiting CVE-2025-22457 to compromise an Ivanti Connect Secure appliance, UNC5221 employs a\r\nvariety of tactics, techniques, and procedures (TTPs) to expand their foothold, evade detection, harvest\r\ncredentials, and ultimately fulfill their espionage objectives. \r\nThe following breakdown maps UNC5221’s known behaviors to MITRE ATT\u0026CK categories:\r\nInitial Access (TA0001) – Exploiting the VPN Gateway\r\nT1190 – Exploit Public-Facing Application\r\nUNC5221 gains initial access by exploiting the public-facing ICS VPN appliance via the CVE-2025-22457\r\nvulnerability. This technique falls under Exploitation of Public-Facing Application (T1190). The attacker targets\r\nan organization’s VPN gateway (which is accessible from the internet) and sends a specially crafted request to\r\ntrigger the buffer overflow and execute code on the device.\r\nBefore attempting exploitation, UNC5221 was observed performing reconnaissance of the appliance’s version –\r\nfor example, sending repeated queries to deduce the ICS firmware build – ensuring the target is a vulnerable\r\nversion (22.7R2.5 or older). Once confirmed, the zero-day (now n-day) exploit is launched, providing the attacker\r\na shell or code execution on the VPN appliance without any valid credentials. \r\nThis direct compromise of a network edge device serves as the beachhead for the rest of the intrusion.\r\nExecution (TA0002) – Deploying Malware in Memory\r\nhttps://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure\r\nPage 2 of 11\n\nFollowing successful exploitation, UNC5221 executes a multi-stage malware deployment sequence on the\r\ncompromised device. The initial payload is a shell script dropper delivered via the exploit. This script runs\r\ndirectly on the Ivanti appliance and orchestrates the loading of further malicious code:\r\nT1055.002 – Process Injection: Portable Executable Injection\r\nIn-memory Dropper: The shell script writes an executable to /tmp/.i (among other temp files) and then launches it.\r\nThis binary is the TRAILBLAZE dropper – a lightweight implant written in C that uses raw syscalls and exists\r\nonly in memory. When run, TRAILBLAZE searches for the running ICS web process (named web) and injects a\r\nmalicious code hook into it, effectively hollowing out a portion of the legitimate process to load the next stage.\r\nBackdoor Injection: Upon injecting a hook, TRAILBLAZE reads a payload from the temp files (written by the\r\nscript) and injects the backdoor into the target process’s memory space. The backdoor is a stealthy implant called\r\nBRUSHFIRE, which is inserted into a “code cave” of the web process and not saved to disk. This means the\r\nmalware runs within the context of the legitimate VPN service process.\r\nT1070.004 – Indicator Removal on Host: File Deletion\r\nCleanup: The shell script and TRAILBLAZE perform cleanup actions after execution. The script deletes the\r\ntemporary files it created (containing the malware and process info) and even clears the appliance’s core dump\r\ndirectory to erase evidence. It then kills child processes of web (likely to restart a fresh instance with the injected\r\ncode) before removing any remaining markers. This ensures that, aside from the injected code in memory, little\r\ntrace of the attack files remains on the device.\r\nThis entire sequence is non-persistent – the malicious code resides only in memory. However, as long as the\r\nappliance is not rebooted or the web service is not restarted, the BRUSHFIRE backdoor will remain active inside\r\nthe process to execute attacker commands. \r\nIn effect, UNC5221 leverages the exploit to run a fileless malware deployment, giving them an active implant on\r\nthe device while minimizing artifacts on the filesystem.\r\nDefense Evasion (TA0005) – Staying Hidden on the Appliance\r\nUNC5221 demonstrates numerous defense evasion techniques to avoid detection on the compromised ICS\r\nappliance:\r\nIn-Memory Implants: By using an in-memory dropper and injecting the backdoor into an existing process, the\r\nattackers avoid leaving obvious binaries on disk. The TRAILBLAZE dropper and BRUSHFIRE backdoor run in\r\nmemory only, and the temporary files used are deleted immediately after use. This makes forensic detection more\r\ndifficult, as traditional file-scans or antivirus on the device may not catch the malware.\r\nProcess Injection: Injecting into the trusted web process provides camouflage. The ICS device’s VPN service\r\nprocess continues to run normally (handling VPN connections) while also harboring the hidden backdoor thread.\r\nSecurity monitoring that looks for new processes or suspicious services might not notice anything unusual since\r\nthe malware piggybacks on a legitimate process.\r\nhttps://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure\r\nPage 3 of 11\n\nLog Tampering: UNC5221 deploys a log-manipulation tool dubbed SPAWNSLOTH to disable or falsify logging\r\non the appliance. SPAWNSLOTH targets the ICS logging service (dslogserver process) to suppress local logs and\r\nsyslog forwarding, effectively blinding administrators to malicious activity. By halting log generation, the attacker\r\ncan operate with reduced chance of triggering alerts.\r\nClearing Traces: Even prior to deploying SPAWNSLOTH, the attackers take manual steps to clear traces. For\r\nexample, the malicious shell script issues commands like dmesg -c to clear kernel logs and may purge security\r\naudit logs. Researchers also noted that UNC5221 attempted to modify Ivanti’s built-in Integrity Checker Tool\r\n(ICT) – a utility meant to detect appliance tampering – likely to prevent it from reporting the changes made by the\r\nattackers. By patching or disabling security controls (like the ICT) on the device, the attackers further evade\r\ndetection.\r\nPassive Backdoor Communication: The BRUSHFIRE backdoor is designed as a passive implant, which is another\r\nevasion tactic. Rather than actively reaching out to a command-and-control server (which could be noticed as\r\nanomalous outgoing traffic), BRUSHFIRE sits quietly and monitors inbound VPN traffic. It hooks into the\r\nSSL/TLS functions of the web process and checks each inbound packet for a secret “trigger” pattern. \r\nOnly if a packet contains the attacker’s magic string does it decrypt an embedded payload and execute it as\r\nshellcode in memory. This means the backdoor does not beacon or create a separate network connection – it\r\nblends into normal VPN traffic and only responds when the operator sends a specially crafted packet. This stealthy\r\nC2 method makes the malware nearly invisible on the network, as an observer would just see typical VPN\r\nconnection traffic.\r\nObfuscation of Source: Outside the appliance, UNC5221 also conceals their operational infrastructure.\r\nResearchers reports that the group routes its intrusion traffic through a network of compromised intermediary\r\ndevices – including hijacked Cyberoam VPN appliances, QNAP NAS devices, and ASUS routers – to mask their\r\ntrue origin. By tunneling their commands through these third-party systems, the attackers make it very difficult for\r\ndefenders to trace the activity back to the operators (a technique akin to using multiple VPNs or proxies). This\r\nOPSEC measure is common for nation-state actors and contributes to evading detection and attribution.\r\nOverall, UNC5221’s defense evasion ensures that once the ICS device is compromised, the intrusion can persist\r\nundetected for a significant time. Disabling logs and security tools deprives defenders of visibility, while the\r\npassive, in-memory backdoor and cunning use of trusted processes make the malicious presence extremely hard to\r\nspot through normal monitoring.\r\nCredential Access (TA0006) – Stealing Passwords and Keys\r\nStealing valid credentials is a priority for UNC5221, enabling deeper access into victim networks. The group\r\nemploys multiple techniques to harvest credentials from the compromised VPN appliance and its connected\r\nenvironment:\r\nT1556.002 – Modify Authentication Process: Network Device Authentication\r\nAuthentication Log Hijacking: UNC5221 has deployed a custom Python-based credential stealer, internally named\r\nDRYHOOK, on Ivanti appliances. This malware patches the appliance’s authentication routines (the DSAuth.pm\r\nhttps://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure\r\nPage 4 of 11\n\nPerl module in ICS) to capture usernames and passwords in plaintext as users log in. \r\nEssentially, DRYHOOK inserts a malicious subroutine into the login flow: whenever a VPN user successfully\r\nauthenticates, their username and password are appended (after RC4 encryption and Base64 encoding) to a hidden\r\nfile on the appliance (/tmp/cmdmmap.kuwMW). This allows the attacker to silently collect VPN user credentials\r\n(including potentially administrator accounts) as they are entered, bypassing any encryption. The malware even\r\nremounts the filesystem as read-write to insert its changes and then restores it to read-only to avoid suspicion,\r\nbefore killing processes to apply the new modified authentication logic. By the time it’s done, the appliance’s\r\nlogin system is effectively trojanized to keystroke-log all future VPN logins for the attacker.\r\nT1056.003 – Input Capture: Web Portal Capture\r\nWeb Portal Credential Stealer: In earlier campaigns, UNC5221 leveraged a JavaScript-based sniffer known as\r\nWARPWIRE that was injected into the VPN web portal to steal credentials. WARPWIRE would capture\r\nusernames/passwords from users’ web VPN logins and exfiltrate them. This shows the group’s familiarity with\r\nmultiple methods of credential harvesting on Ivanti platforms.\r\nT1552.001 – Unsecured Credentials: Credentials In Files\r\nDumping Cached Credentials and Keys: The ICS appliance itself stores session data and authentication artifacts\r\nthat UNC5221 harvests. Security researchers observed the attackers dumping the appliance’s cached database\r\n(/runtime/mtmp/lmdb) which can contain VPN session tokens, cached credentials, API keys, and even\r\ncryptographic keys or certificates used by the VPN. By obtaining this cache, the attacker might extract things like\r\nsession cookies (to impersonate users) or password hashes/tokens. Ivanti warned that such cache dumps could\r\ncontain sensitive credential material and require remediation (password resets, key revocations) if compromised.\r\nT1078 – Valid Accounts\r\nLeveraging Stored Credentials for Lateral Movement: Once the VPN appliance is compromised, any credentials\r\nstored on or accessible through it become tools for the attacker. UNC5221 was observed using the appliance’s\r\nconfigured LDAP service account (if one was set up for corporate directory integration) to query the\r\norganization’s Active Directory and even to pivot further into the network. \r\nSpecifically, the attacker took the service account username/password (which the ICS uses to look up user entries\r\nin AD) and performed LDAP queries to gather information. In some cases, they then used those credentials to\r\nmove laterally onto Windows systems (e.g., connecting to domain controllers via SMB/RDP). This indicates the\r\nappliance was a stepping stone: any privileged account that the VPN had knowledge of was co-opted by the\r\nattacker to expand access inside the network. In summary, the ICS device often holds a key to the kingdom\r\n(service accounts, admin logins, etc.), and UNC5221 wastes no time exploiting those to escalate their reach.\r\nThrough these methods, UNC5221 can accumulate a trove of credentials: VPN user logins (for continued access\r\nor future phishing), internal directory accounts (for lateral movement), and administrative passwords or keys (for\r\nprivilege escalation). Credential Access is a critical stage in their operation, as it enables them to authenticate as\r\nhttps://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure\r\nPage 5 of 11\n\nlegitimate users and persist in the network even if the initial vulnerability is patched or the backdoor is\r\ndiscovered.\r\nDiscovery (TA0007) – Reconnaissance of Internal Environment\r\nAfter compromising the VPN gateway, UNC5221 conducts extensive reconnaissance to understand the victim\r\nenvironment and identify further targets. The compromised ICS appliance, now under attacker control, serves as a\r\nvantage point to probe the internal network:\r\nT1046 – Network Service Discovery\r\nNetwork Scanning: The threat actor uses utilities available on the appliance (or uploads their own) to scan the\r\ninternal network. In observed cases, UNC5221 executed tools like nmap (for port scanning) and dig (for DNS\r\nlookups) directly from the VPN appliance. For example, they ran scans to detect hosts on specific ports (80, 443,\r\n445, etc.) and DNS queries for internal domain names. Since the appliance sits at the network edge (often with\r\naccess to internal subnets), this allows mapping of the internal IP space, discovering servers, domain controllers,\r\nand other critical systems that might be reachable from the VPN segment.\r\nT1057 – Process Discovery \u0026 T1007 – System Service Discovery\r\nProcess and System Survey: The attackers show detailed knowledge of the Ivanti appliance’s processes and files.\r\nThe initial shell script explicitly searched for a specific process (/home/bin/web) that is the child of another\r\nweb process to target for injection. This indicates they are performing process discovery on the device to ensure\r\ntheir payload hooks into the correct service (the one handling incoming connections). They also dumped memory\r\nmaps and module base addresses (libssl.so, etc.) of processes, likely to assist in calculating offsets for injection.\r\nSuch actions reveal the attackers are interrogating the system’s state in real time. Additionally, by examining\r\nconfiguration files or environment variables on the appliance, they can learn about how it’s connected to the\r\nnetwork (e.g., learning the internal IP ranges, DNS servers, configured authentication servers, etc.).\r\nT1069.002 – Permission Groups Discovery: Domain Groups\r\nDirectory Service Enumeration: Using the stolen or available credentials, UNC5221 queries the organization’s\r\ndirectory services. As noted, they performed LDAP queries via a tool (/tmp/lmdbcerr) to retrieve information from\r\nActive Directory. The commands show they queried for user and group objects (with filters like (cn=*) or\r\n(distinguishedName=*)) and likely pulled large chunks of AD data, saving the outputs to files on the appliance.\r\nThis suggests they were building a map of user accounts, groups, and possibly computer accounts in the domain –\r\nvaluable information for understanding the organization’s structure and planning further actions. Discovery of\r\nsuch directory info is common in espionage to identify high-value accounts or systems.\r\nT1518.001 – Software Discovery: Security Software Discovery\r\nEnvironment Observation: The attackers also seek information about security measures. Disabling the ICS\r\nIntegrity Checker Tool implies they were aware of its presence (which itself is a form of discovery – recognizing\r\nactive security controls). By inspecting the system, they can determine if additional security agents or monitors\r\nhttps://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure\r\nPage 6 of 11\n\nare running (though many VPN appliances lack traditional antivirus or EDR by design). UNC5221’s attention to\r\nwhat’s running on the appliance (and removal of anything that might report their activity) is part of discovering\r\nand neutralizing defensive sensors.\r\nIn summary, UNC5221 systematically gathers intel on the network from their beachhead. They leverage the\r\ncompromised VPN’s perspective to scan internally, enumerate critical services (like AD), and learn the layout of\r\nthe victim network. This Discovery phase sets the stage for selecting targets for data collection and lateral\r\nmovement.\r\nCollection (TA0009)\r\nAs an espionage actor, UNC5221’s end goal is to collect valuable information. Once they have a foothold and\r\nknowledge of the environment, they move to gather and prepare data for exfiltration:\r\nT1005 – Data from Local System\r\nCapturing VPN Appliance Data: One of the first targets for collection is the VPN appliance itself. UNC5221\r\narchives the VPN appliance’s session database cache, which resides in the directory /runtime/mtmp/lmdb. This\r\ncache database can contain a wealth of sensitive data: active VPN session details, user authentication records,\r\nsession cookies, tokens, API keys, and even TLS certificates used by the appliance. By stealing this, the attackers\r\npotentially obtain authentication session cookies (which could allow them to hijack active sessions or replay\r\nthem), API secrets (if the VPN was integrated with other systems), and private keys or certificates (which could\r\nenable decrypting VPN traffic or impersonating the VPN server). The threat actor bundles up this database –\r\nResearchers observed them tar-ing the contents of the lmdb cache – as a convenient package of intel.\r\nT1036.008 – Masquerading: Masquerade File Type\r\nMasquerading Data as Legitimate Files: After archiving the data, UNC5221 masquerades the stolen files to blend\r\nin. In a reported case, they took the tarball of the database dump and renamed it with a .css extension, placing it in\r\nthe VPN appliance’s web directory (/home/webserver/htdocs/dana-na/css/). By doing so, they stage the data to\r\nappear like a harmless stylesheet file on the VPN web portal. This is a clever preparation for exfiltration – the data\r\ncan be downloaded over HTTPS from the appliance by the attacker (or automatically by their script) without\r\nraising immediate suspicion, as it looks like a normal web resource. It also means the exfiltration traffic will be\r\nencrypted (since it’s pulled via HTTPS from the VPN web server), making it harder for network monitoring to\r\ndetect sensitive data being taken out.\r\nT1005 – Data from Local System\r\nExtracting System Images: UNC5221 also deployed a tool called SPAWNSNARE on some appliances, which is\r\nused to extract the device’s Linux kernel image (vmlinux) and encrypt it using AES. Stealing the kernel memory\r\nimage might not be directly about business data, but it is likely done for technical espionage – for instance, to\r\nanalyze the kernel for additional vulnerabilities or to assist in developing rootkits. By encrypting the extracted\r\nkernel before storing or exfiltrating, the attackers ensure that even if the file is found, its contents are not\r\nhttps://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure\r\nPage 7 of 11\n\nimmediately obvious to defenders. This indicates a high level of sophistication; the actor is interested not just in\r\norganizational data, but also in the underlying technology of the device, possibly to enable future exploits.\r\nT1039 – Data from Network Shared Drive\r\nInternal Data Access: With credentials in hand and knowledge of the network, UNC5221 can also directly collect\r\ndata from internal systems. For example, if they used the VPN’s service account to access a file share or a\r\ndatabase inside the network, they might retrieve documents, emails, or database records relevant to their\r\nintelligence goals. In earlier incidents, Chinese actors exploiting Pulse Secure devices have been known to deploy\r\nweb shells or tools on internal servers to gather files. While specific files stolen in the UNC5221 campaign have\r\nnot been detailed publicly, it is typical for such an actor to siphon any accessible sensitive information (e.g. files\r\non SharePoint, email servers, or databases that the compromised credentials can reach).\r\nBy the end of the Collection phase, UNC5221 has packaged up both device-resident data (logs, caches, configs)\r\nand potentially business data from the victim’s network. The data is staged in a manner conducive to exfiltration –\r\noften compressed and placed in known locations or encrypted for safety. This careful staging is a precursor to the\r\nfinal step of exfiltration.\r\nExfiltration (TA0010) – Extracting Data Without Detection\r\nUNC5221 exfiltrates the collected data through stealthy means to avoid setting off alarms:\r\nT1041 – Exfiltration Over C2 Channel\r\nUsing the Victim’s Own Infrastructure: As noted, the group often places stolen files on the appliance’s web server\r\ndirectory disguised as legitimate content (e.g., a .css file).The attackers can then download this file over HTTPS\r\nfrom the appliance at their leisure. From a defender’s view, this might appear as the VPN appliance serving a\r\nnormal file to an external IP – not immediately suspicious, especially if the request closely follows patterns of\r\nlegitimate file accesses. By piggybacking on the victim’s infrastructure (the VPN’s web interface), the exfiltration\r\ntraffic hides in plain sight.\r\nPassive Backdoor Channel: The BRUSHFIRE passive backdoor also provides a means to exfiltrate data on-demand. Because it executes commands sent via specially crafted packets, the attackers could instruct\r\nBRUSHFIRE to read files (such as the cached credentials or collected data) and send the output back, embedded\r\nin the response. The backdoor would then use the normal VPN SSL connection to write back the results (it calls\r\nSSL_write with the output) to the attacker. This method keeps the exfiltration within the VPN’s normal traffic\r\nflow. However, using BRUSHFIRE requires the attackers to actively trigger it with a command that says, in effect,\r\n“send me the contents of file X,” after which the data would be covertly transmitted out in the SSL response.\r\nT1572 – Protocol Tunneling\r\nTunneling and Proxying: In previous operations, UNC5221 has installed tunneling tools like PySoxy (a Python\r\nSOCKS proxy) to channel data through the compromised device. A tunneler can allow the attackers to route traffic\r\nfrom internal systems out through the VPN appliance. For example, they could copy large files from an internal\r\nserver to the VPN appliance and then out to the internet via an encrypted tunnel. They also utilized utilities like\r\nhttps://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure\r\nPage 8 of 11\n\nBusyBox on the appliance to facilitate data transfer and scripting\r\n. Combined with their external obfuscation\r\nnetwork (compromised proxies), the group can chain connections in a way that the data’s path out to their\r\ncontrolled server is non-obvious.\r\nT1020 – Automated Exfiltration\r\nExfiltration Over Time: Rather than a one-time giant transfer (which might be noticed), UNC5221 likely\r\nexfiltrates data in smaller chunks or during times that blend in with normal traffic. For instance, transferring the\r\nfake .css file (which contains the cache dump) could be done during off-peak hours or multiple smaller archives\r\ncould be staged. The attackers can maintain persistence on the device to periodically collect and exfiltrate new\r\ndata as well, extending the data theft over weeks if undetected.\r\nIn essence, UNC5221’s exfiltration methods are low-and-slow and camouflaged. By making exfiltration traffic\r\nappear routine (HTTPS requests to the VPN, or responses to legitimate-looking sessions), they evade many data\r\nloss prevention controls. Any external network monitors would see encrypted traffic that appears to be typical\r\nVPN usage or web requests, thus blending the exfiltration with regular operations.\r\nHow Does Picus Help Defend Against the China-Nexus Threat Group UNC5221?\r\nWe strongly suggest simulating ransomware groups to test the effectiveness of your security controls against their\r\nattacks using the Picus Security Validation Platform.  \r\nThe Picus Threat Library includes the following threats related to UNC5221 and the exploitation of Ivanti\r\nConnect Secure (CVE-2025-22457).\r\nThreat\r\nID\r\nThreat Name Attack Module\r\n38486 UNC5221 Threat Group Campaign Malware Email Threat  E-mail Infiltration\r\n81651 UNC5221 Threat Group Campaign Malware Download Threat\r\nNetwork\r\nInfiltration\r\n64333 SPAWNSNARE Utility Download Threat\r\nNetwork\r\nInfiltration\r\n68529 SPAWNSNARE Utility Email Threat E-mail Infiltration\r\nhttps://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure\r\nPage 9 of 11\n\n20144\r\nIvanti Connect Secure CVE-2025-22457 Exploiting Vulnerability\r\nDownload Threat\r\nNetwork\r\nInfiltration\r\n39508\r\nIvanti Connect Secure CVE-2025-22457 Exploiting Vulnerability Email\r\nThreat\r\nE-mail Infiltration\r\nDefense Strategies Against the Billbug Threat Group's Attacks\r\nTo mitigate the impact of Lotus Blossom attack campaigns, organizations should adopt a layered defense\r\napproach:\r\nPatch and Retire Vulnerable Ivanti Appliances Immediately\r\nUNC5221 exploited CVE-2025-22457 in unpatched Ivanti Connect Secure (ICS) and legacy Pulse Secure VPN\r\ndevices. Organizations should upgrade all ICS appliances to version 22.7R2.6 or later, and decommission\r\nunsupported Pulse Connect Secure 9.x devices. Apply vendor-recommended hardening guides, and monitor Ivanti\r\nadvisories for additional mitigations. If your environment contains affected versions, assume compromise and\r\nperform a full investigation, including integrity checks and credential revocation.\r\nDetect Fileless Malware and In-Memory Backdoors on ICS Appliances\r\nUNC5221 deployed in-memory implants (TRAILBLAZE, BRUSHFIRE) that evade traditional disk-based\r\ndetection. Deploy file integrity monitoring and memory inspection tools where possible. Use the Ivanti Integrity\r\nChecker Tool (ICT) to verify the appliance state, and hunt for indicators such as unusual files in /tmp, high-privilege processes modifying web, or unauthorized memory access patterns. Monitor for tools like\r\nSPAWNSLOTH that suppress syslog activity.\r\nContinuously Test and Validate Security Controls\r\nUNC5221 follows a clear sequence of behaviors. Implementing Breach and Attack Simulation (BAS) platforms,\r\nsuch as Picus Security Control Validation (SCV), enables security teams to emulate realistic, multi-stage attack\r\nscenarios that mirror the tactics, techniques, and procedures (TTPs) observed in UNC5221 campaigns. \r\nBy continuously testing your environment against these scenarios, BAS tools can expose blind spots, validate\r\nexisting controls, and generate actionable insights to improve detection and response capabilities—helping you\r\nstay one step ahead of sophisticated adversaries.\r\nMonitor for LDAP Abuse and Credential Theft\r\nUNC5221 leveraged compromised LDAP service account credentials to query Active Directory and move\r\nlaterally. Monitor for LDAP queries originating from ICS appliances, especially those requesting broad object\r\nfilters (e.g., cn=*, distinguishedName=*). Use behavior analytics to flag unexpected access patterns and high-https://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure\r\nPage 10 of 11\n\nvolume directory lookups from non-domain joined systems. Ensure VPN appliances have the least-privileged\r\nservice accounts with read-only permissions.\r\nHarden and Segment Network Access to VPN Infrastructure\r\nPrevent compromised ICS appliances from serving as lateral movement pivots. Restrict outbound connectivity\r\nfrom VPN appliances to only required services. Apply network segmentation and isolate appliances from\r\ninternal subnets that do not require direct access. Monitor for unexpected outbound HTTPS traffic and inspect\r\nfor disguised exfiltration (e.g., .css or .zip downloads from ICS web directories). Enforce strong authentication\r\nand regularly rotate credentials stored or cached on appliances.\r\nReferences\r\n[1] “Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457),” Google Cloud Blog, Apr. 03, 2025. Available: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability. [Accessed: Apr. 16, 2025]\r\n[2] R. Wright, “CISA adds Ivanti Connect Secure vulnerability to KEV catalog,” Cybersecurity Dive, Apr. 07,\r\n2025. Available: https://www.cybersecuritydive.com/news/cisa-ivanti-connect-secure-vulnerability-kev/744603/.\r\n[Accessed: Apr. 16, 2025]\r\n[3] M. Kapko, “China-backed espionage group hits Ivanti customers again,” CyberScoop, Apr. 03, 2025.\r\nAvailable: http://cyberscoop.com/china-espionage-group-ivanti-vulnerability-exploits/. [Accessed: Apr. 16, 2025]\r\n[4] “Website.” Available: https://www.darkreading.com/vulnerabilities-threats/china-linked-threat-group-exploits-ivanti-bug\r\n[5] “Website.” Available: https://www.securityweek.com/rapid7-reveals-rce-path-in-ivanti-vpn-appliance-after-silent-patch-debacle\r\nSource: https://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure\r\nhttps://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure" ], "report_names": [ "unc5221-cve-2025-22457-ivanti-connect-secure" ], "threat_actors": [ { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-29T06:58:58.254021Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-29T06:58:56.751454Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "Red Dev 61", "UNC5221" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-29T06:58:57.850511Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-29T06:58:57.598741Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-29T06:58:56.159091Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "DRAGONFISH", "ATK1", "Red Salamander", "Billbug", "Lotus Blossom", "Spring Dragon", "ST Group", "BRONZE ELGIN", "G0030", "Lotus BLossom" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-29T06:58:57.98576Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429284, "ts_updated_at": 1777450982, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fdaec515f3b87dca9740fb55f5dfb1de73671ea0.pdf", "text": "https://archive.orkl.eu/fdaec515f3b87dca9740fb55f5dfb1de73671ea0.txt", "img": "https://archive.orkl.eu/fdaec515f3b87dca9740fb55f5dfb1de73671ea0.jpg" } }