This article discusses the covert cyber-espionage activities of a hacking group known as UNC5221, which exploited the vulnerability CVE-2025-22457 in Ivanti Connect Secure to access various organizations’ internal systems without detection. The group, believed to have ties to Chinese government interests, targets under-resourced sectors and employs stealthy malware, causing significant damage across multiple regions. Affected: regional African firms, NGOs, healthcare sectors, logistics companies
Keypoints :
- A junior IT analyst discovered suspicious, undisclosed connections to his company’s internal system while checking security logs.
- The exploitation involved a known vulnerability in Ivanti Connect Secure, allowing for Remote Code Execution (RCE) without detection.
- UNC5221, the hacker group behind the attack, operates methodically and is believed to be linked to Chinese government interests.
- The group utilized advanced malware—including Trailblaze, Brushfire, and Spawn—to maintain control and stay undetected in compromised systems.
- Over 400 organizations, especially in medium-sized businesses and NGOs, were impacted due to outdated VPN software.
- Cybersecurity best practices include regular updates, eliminating unsupported tools, and training staff on cyber awareness.