Cybersecurity researchers have warned about a new malware called Dslogdrat, which is currently installed following the exploitation of Ivanti Connect Secure (ICS)’s currently patched security flaws.
The malware was installed along with Web Shell by leveraging the zero-day vulnerability of CVE-2025-0282 during an attack on Japanese organizations around December 2024,” JPCERT/CC researcher Uma Masbuchi said in a report released Thursday.
CVE-2025-0282 refers to a serious security flaw in ICS, allowing for uncertified remote code execution. Addressed by Ivanti in early January 2025.
However, this drawback is being utilized as a zero day by the China-Nexus Cyberspy Group called UNC5337 to provide Malware’s spawning ecosystem and other tools such as Dryhook and PhaseJam. The latter two malware stock deployment is not attributable to known threat actors.
Since then, both JPCERT/CC and the US Cybersecurity and Infrastructure Security Agency (CISA) have revealed the exploitation of the same vulnerability to deliver an updated version of Spawn, known as SpawnChimera and Resurge.
Earlier this month, Google-owned Mandiant revealed that another security flaw in ICS (CVE-2025-22457) had been weaponized to distribute Spawn. This is malware caused by another Chinese hacking group called UNC5221.
JPCERT/CC said it is currently unclear whether the attack using DSLOGDRAT is part of the same campaign, which includes the spawn malware family run by UNC5221.
The attack sequence outlined by the agency involves the use of CVE-2025-0282 to deploy the PERL web shell. This serves as a conduit for deploying additional payloads containing DSLOGDRAT.
DSLOGDRAT is waiting for further instructions that can start contacting an external server over a socket connection, send basic system information, run shell commands, upload/download files, and use the infected host as a proxy.
This disclosure comes when threat intelligence company Greynoise warns about “9x suspicious scan activity spikes” and more than 1,000 unique IP addresses in the last 90 days, targeting ICS and Ivanti Pulse Secure (IPS) appliances from over 270 unique IP addresses over the last 24 hours.
Of these 255 IP addresses, they are classified as malicious and 643 is flagged as suspicious. Malicious IPs have been observed using TOR exit nodes, and suspicious IPSs are linked to lesser known hosting providers. The US, Germany and the Netherlands account for the top three source countries.
“This surge could indicate a possibility of coordinated reconnaissance and preparations for future exploitation,” the company said. “There is no particular CVE tied to this scan activity yet, but these spikes often precede active exploitation.”
Source link
