A Chinese-linked threat actor exploited recently patched vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) to target organizations worldwide, stealing data and gaining remote access. The attack involved sophisticated techniques including a Rust-based loader and command-and-control infrastructure linked to Auto-Color Linux backdoors. #UNC5221 #AutoColor #KrustyLoader #IvantiEPMM #ChineseThreatActors
Keypoints
- The vulnerabilities CVE-2025-4427 and CVE-2025-4428 were exploited by the China-nexus group UNC5221 before they were patched.
- The attacker used endpoint targeting to execute remote code and deploy malicious loaders like KrustyLoader for further payload delivery.
- Threat actors accessed sensitive data in vulnerable Ivanti systems, including device management and user tokens, for espionage purposes.
- Obfuscated commands, network reconnaissance, and use of open-source tools like FRP facilitated lateral movement within compromised networks.
- Scanning activity targeting similar products increased prior to vulnerabilities being publicly disclosed, indicating preparatory probing by attackers.
Read More: https://thehackernews.com/2025/05/chinese-hackers-exploit-ivanti-epmm.html