Cybersecurity researchers are warning about a new malware called DslogdRAT that’s installed following the exploitation of a now-patched security flaw in Ivanti Connect Secure (ICS).
The malware, along with a web shell, were “installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024,” JPCERT/CC researcher Yuma Masubuchi said in a report published Thursday.
CVE-2025-0282 refers to a critical security flaw in ICS that could allow unauthenticated remote code execution. It was addressed by Ivanti in early January 2025.
However, the shortcoming has been exploited as a zero-day by a China-nexus cyber espionage group dubbed UNC5337 to deliver the SPAWN ecosystem of malware, as well as other tools like DRYHOOK and PHASEJAM. The deployment of the latter two malware strains has not been attributed to any known threat actor.
Since then, both JPCERT/CC and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have revealed the exploitation of the same vulnerability to deliver updated versions of SPAWN called SPAWNCHIMERA and RESURGE.
Earlier this month, Google-owned Mandiant also revealed that another security flaw in ICS (CVE-2025-22457) has been weaponized to distribute SPAWN, a malware attributed to another Chinese hacking group referred to as UNC5221.
JPCERT/CC said it’s currently not clear if the attacks using DslogdRAT is part of the same campaign involving the SPAWN malware family operated by UNC5221.
The attack sequence outlined by the agency entails the exploitation of CVE-2025-0282 to deploy a Perl web shell, which then serves as a conduit to deploy additional payloads, including DslogdRAT.
DslogdRAT, for its part, initiates contact with an external server over a socket connection to send basic system information and awaits further instructions that allow it to execute shell commands, upload/download files, and use the infected host as a proxy.
The disclosure comes as threat intelligence firm GreyNoise warned of a “9X spike in suspicious scanning activity” targeting ICS and Ivanti Pulse Secure (IPS) appliances from more than 270 unique IP addresses in the past 24 hours and over 1,000 unique IP addresses in the last 90 days.
Of these 255 IP addresses have been classified as malicious and 643 have been flagged as suspicious. The malicious IPs have been observed using TOR exit nodes and suspicious IPs are linked to lesser-known hosting providers. The United States, Germany, and the Netherlands account for the top three source countries.
“This surge may indicate coordinated reconnaissance and possible preparation for future exploitation,” the company said. “While no specific CVEs have been tied to this scanning activity yet, spikes like this often precede active exploitation.”
