The article details exploitation of Ivanti Endpoint Manager Mobile vulnerabilities CVE-2025-4427 and CVE-2025-4428, enabling unauthenticated remote code execution and post-exploitation activity such as KrustyLoader delivery via AWS S3. It links the activity to UNC5221, a suspected China-nexus espionage actor, and notes targeted attacks across healthcare, telecommunications, and finance worldwide, underscoring the need for continuous visibility and anomaly-based defense. #KrustyLoader #UNC5221 #IvantiEPMM #AWS_S3 #Healthcare #Telecom #Finance
Keypoints
- Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428 enable authentication bypass and remote code execution.
- Attackers used exploit validation, OAST DNS requests, and HTTP-based payload delivery via AWS S3 to deploy KrustyLoader.
- KrustyLoader is a Rust-based malware downloaded from AWS S3 endpoints and used for persistence on Ivanti Connect Secure systems.
- The activity is attributed to UNC5221, a suspected China-nexus espionage actor.
- Darktrace and researchers highlight the need for extended visibility, anomaly-based detection, and rapid interventions.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427/4428 to gain unauthenticated remote code execution (‘An authentication bypass vulnerability’ and ‘Remote code execution vulnerability’).
- [T1105] Ingress Tool Transfer – Delivery of KrustyLoader payloads via AWS S3 bucket endpoints (‘Downloading malicious ELF files—often with randomly generated filenames—from AWS S3 bucket endpoints’).
- [T1059.003] Command and Scripting Interpreter – Attackers used wget and curl to fetch payloads and commands (‘user agent associated with the command-line tool cURL’).
- [T1071.001] Web Protocols – HTTP-based payload delivery and C2-related communications (‘These downloads occurred over HTTP connections’).
Indicators of Compromise
- [IP Address] C2 endpoint – 15.188.246.198, 185.193.125.65, 64.52.80.21, 134.209.107.209
- [Hostname] C2 endpoint – trkbucket.s3.amazonaws.com, tnegadge.s3.amazonaws.com, fconnect.s3.amazonaws.com, 0d8da2d1.digimg.store
- [URL] Payload URLs – trkbucket.s3.amazonaws.com/NVGAoZDmEe, tnegadge.s3.amazonaws.com/dfuJ8t1uhG, fconnect.s3.amazonaws.com/mnQDqysNrlg, 15.188.246.198/4l4md4r.sh?grep, 185.193.125.65/c4qDsztEW6/TIGHT_UNIVERSITY
- [SHA1 File Hash] Payload – c47abdb1651f9f6d96d34313872e68fb132f39f5
- [MD5 File Hash] Payload – 4abfaeadcd5ab5f2c3acfac6454d1176, d8d6fe1a268374088fb6a5dc7e5cbb54