Chinese Hacking Group Exploits Zero-Day in Ivanti Connect Secure VPN Appliances

Cybersecurity firm Mandiant has issued a warning advising that a suspected Chinese threat actor is behind exploits of Ivanti Connect Secure VPN appliances that make use of zero-day CVE-2025-0282.

The attributed hacking group is UNC5221, which has previously targeted Ivanti Connect Secure VPN vulnerabilities in a similar manner and can be identified by their deployment of a range of custom malware families once inside victim networks. The attacker targets the database cache and deploys a malicious Python script to harvest credentials, and Mandiant warns that other attackers will likely follow in their footsteps if the vulnerability is not patched.

Chinese threat actor returns with new malware

Ivanti publicly disclosed the zero-day some weeks after patching it, but it had already been exploited in the wild by the Chinese hacking group prior to that. A security advisory issued by the company indicates that only a “limited number” of Ivanti Connect Secure appliance customers are known to have been successfully breached by the group and that the CVEs were not exploited in any Ivanti Policy Secure or ZTA gateways.

Mandiant also indicates that only certain versions of ICS release 22.7R2 can be exploited. The security researchers have observed the attackers making repeated requests to the appliance that appear to be checks on what version it is. HTTP requests from VPS providers or Tor networks to the Host Checker Launcher, especially those checking versions in sequential order, is a strong indication of probing by the threat actors.

While it is present, the group’s custom malware will not only intercept attempts to upgrade to a newer (and secured) version but will also create a “visually convincing” HTML simulation of an upgrade taking place while nothing actually happens. If an LDAP service account is configured, the attacker will make use of it to perform reconnaissance and move laterally. In terms of exfiltration of data, the threat actor is primarily concerned with stealing authorization credentials; to that end they will raid the database cache and also deploy a Python script called “DRYHOOK” to capture logins.

UNC5221 among the most prolific groups targeting US organizations

Though it does not grab the same mainstream headlines as some of the other hacking outfits, UNC5221 has been one of the most active state-backed groups in attacking United States targets in recent years. The group seems to regularly shift through new sets of custom malware to help evade detection, and was previously known for use of the SPAWN ecosystem of tools before shifting to a varied collection of new ones for this set of attacks.

Ivanti provides an Integrity Checker Tool that can determine if this vulnerability has been exploited, and if it detects intrusion a factory reset should be initiated to remove any malware that has been installed by the group. The company advises that if the tool turns up a negative result, a factory reset should still be performed prior to installing version 22.7R2.5 or later.