Connect with us

Hi, what are you looking for?


Malware & Threats

Chinese Cyberspies Use New Malware in Ivanti VPN Attacks

Chinese threat actors target Ivanti VPN appliances with new malware designed to persist system upgrades.

Chinese threat actors have continued to exploit recent Ivanti Connect Secure VPN vulnerabilities, using new malware to achieve persistence, Mandiant reports.

The flaws were addressed on January 31, roughly three weeks after Volexity warned that Chinese threat actors were seen exploiting two of them as zero-days for initial access.

Roughly one week later, Ivanti patched a fifth vulnerability in its enterprise VPN and network access products. Proof-of-concept (PoC) code was published within days and attackers immediately started exploiting it.

Following the patch rollout, attackers continued to exploit one of them, tracked as CVE-2024-21893 and described as a server-side request forgery (SSRF) vulnerability in the SAML component in Ivanti’s enterprise VPN and network access appliances.

The issue is, in fact, a bypass for the mitigations Ivanti announced in early January, when the first two zero-days were disclosed.

According to Mandiant, a Chinese threat actor tracked as UNC5325 has been observed exploiting CVE-2024-21893 to deploy new malware families such as LittleLamb.WoolTea, PitStop, Pitdog, PitJet, and PitHook.

Based on code overlaps, UNC5325 appears linked to UNC3886, a Chinese cyberespionage group previously observed exploiting vulnerable VMware products to compromise victim networks.

“UNC3886 has primarily targeted the defense industrial base, technology, and telecommunication organizations located in the US and APJ regions. We are continuing to gather evidence and identify overlaps between UNC3886 and other suspected Chinese espionage groups,” Mandiant notes.

Advertisement. Scroll to continue reading.

UNC5325, the cybersecurity firm notes, has been observed chaining CVE-2024-21893 and CVE-2024-21887 (a command injection in Ivanti’s products). Following initial access, the attackers performed reconnaissance and established a reverse shell.

Mandiant observed the attackers deploying a variant of a web shell named BushWalk that enabled them to read arbitrary files from the appliance, as well as employing modified open source tools and built-in Ivanti system utilities to evade detection, demonstrating “a nuanced understanding of the appliance”.

In some instances, the attackers used SparkGateway plugins to deploy backdoors and persistently inject shared objects. SparkGateway is a legitimate component of Ivanti’s VPN appliance that provides remote access over the browser.

One such SparkGateway plugin, named PitFuel, was seen loading the shared object LittleLamb.WoolTea to deploy backdoors and persist across system updates, patches, and even factory resets. The persistence attempts, however, failed.

“Because the appliance had undergone at least one update since its initial deployment, the malware failed to persist through the factory reset as the encryption key of the factory reset kernel and the running version kernel were different,” Mandiant notes.

A second malicious SparkGateway plugin, dubbed PitDog, was seen injecting the shared object PitHook into memory and persistently executing the backdoor named PitStop, which can execute shell commands and read and write files on the compromised appliance.

“UNC5325’s TTPs and malware deployment showcase the capabilities that suspected China-nexus espionage actors have continued to leverage against edge infrastructure in conjunction with zero days. Similar to UNC4841’s familiarity with Barracuda ESGs, UNC5325 demonstrates significant knowledge of the Ivanti Connect Secure appliance as seen in both the malware they used and the attempts to persist across factory resets,” Mandiant concludes.

Related: Malware Used in Ivanti Zero-Day Attacks Shows Hackers Preparing for Patch Rollout

Related: CISA Sets 48-Hour Deadline for Removal of Insecure Ivanti Products

Related: Ivanti Vulnerability Exploited to Deliver New ‘DSLog’ Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...