This report details the ongoing exploitation of vulnerabilities CVE-2025-0282 and CVE-2025-22457 targeting Ivanti Connect Secure devices, utilizing sophisticated malware loaders like MDifyLoader to execute Cobalt Strike Beacons and other tools such as vshell and Fscan. Attackers employ advanced tactics for lateral movement, persistence, and defense evasion within compromised networks. #MDifyLoader #CobaltStrike #vshell #Fscan #IvantiConnectSecure #CVE20250282 #CVE202522457
Keypoints
- MDifyLoader uses DLL side-loading and RC4 decryption to execute encrypted Cobalt Strike Beacon payloads in memory, employing obfuscation techniques including junk code insertion.
- Attackers use the multi-platform RAT vshell (version 4.6.0), which includes a system language check for Chinese, suggesting an incomplete removal of testing code.
- Fscan, an open-source network scanner, is deployed via a custom loader based on FilelessRemotePE that patches ntdll.dll to bypass Event Tracing for Windows (ETW).
- Post-compromise actions include brute-force attacks against various services and exploitation of SMB vulnerability MS17-010 for lateral movement across the internal network.
- Attackers maintain persistence by creating domain accounts, adding them to groups, and registering malware as Windows services or scheduled tasks to ensure ongoing access.
- Defense evasion is achieved by masquerading malware as legitimate files, using loader-based execution to avoid detection, and deleting used tools to cover tracks.
- These attack campaigns have been active from December 2024 through July 2025, primarily targeting VPN devices like Ivanti Connect Secure.
MITRE Techniques
- [T1133] External Remote Services – Exploited vulnerabilities in VPN devices for initial access (“Exploit a vulnerability in the VPN device to gain access”).
- [T1053.005] Scheduled Task/Job: Scheduled Task – Executed malware through scheduled tasks (“Execute malware through a scheduled task”).
- [T1136.002] Create Account: Domain Account – Created new domain accounts for persistence.
- [T1098] Account Manipulation – Added created accounts to groups to maintain access.
- [T1543.003] Create or Modify System Process: Windows Service – Registered malware as Windows services for persistence and privilege escalation.
- [T1036] Masquerading – Disguised malware as legitimate files (“loader using a legitimate file”).
- [T1070.004] File Deletion – Deleted used malware and tools to cover attack traces.
- [T1140] Deobfuscate/Decode Files or Information – Used obfuscation and RC4 decryption in multiple loader components.
- [T1562.001] Impair Defenses: Disable or Modify Tools – Loaded Fscan with patched ntdll.dll to disable ETW tracing.
- [T1110.001] Password Guessing – Conducted brute-force attacks on AD, FTP, MSSQL, and SSH servers.
- [T1087] Account Discovery – Collected account information for lateral movement.
- [T1210] Exploitation for Lateral Movement – Exploited MS17-010 SMB vulnerability (“Exploit the SMB vulnerability MS17-010 to move laterally”).
- [T1021.001] Remote Services: Remote Desktop Protocol – Used credentials to move laterally via RDP.
- [T1021.002] Remote Services: SMB/Windows Admin Shares – Expanded compromise via SMB shares.
- [T1573] Encrypted Channel – Encrypted command and control communications using TLS and custom protocols.
Indicators of Compromise
- [File Hash] Malware and loaders – MDifyLoader (jli.dll: 45ecb7b23b328ab7…, Microsoft.WindowsAppRuntime.Bootstrap.dll: 9e91862b585fc4d2…), Fscan loader (python311.dll: 699290a753f35ae3…), Fscan (k.bin: cff2afc651a9cba84…), Cobalt Strike configs (update.dat: 09087fc4f8c261a81…, config.ini: 1652ab693512cd4f2…), vshell executables (ws.exe: 85f9819118af284e…, ws_windows_amd2.exe: 48f3915fb8d8ad39…).
- [IP Address and Domains] Command and control servers – 172.237.6[.]207:80, proxy.objectlook[.]com:80, api.openedr.eu[.]org:443, community.openedr.eu[.]org:443, query.datasophos[.]com:443.
- [File Name] Legitimate files used in execution – python.exe, rmic.exe, push_detect.exe.
Read more: https://blogs.jpcert.or.jp/en/2025/07/ivanti_cs.html