A China-linked cyberespionage group has been exploiting two recent Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities in attacks targeting critical sectors in Europe, North America, and Asia-Pacific, EclecticIQ reports.
The two flaws, tracked as CVE-2025-4427 and CVE-2025-4428, are medium-severity issues that allow attackers to bypass authentication and execute arbitrary code remotely, respectively.
Impacting two open source libraries integrated into EPMM, the bugs can be chained together to achieve unauthenticated remote code execution (RCE) on vulnerable deployments.
Ivanti patched the two security defects on May 13, warning that they had been exploited as zero-days against a limited number of customers.
Several days later, proof-of-concept (PoC) exploit code targeting the security defects was released publicly and threat actors started chaining them in the wild immediately after, Wiz warned this week.
Validating Wiz’s findings, EclecticIQ too warns of the ongoing exploitation of these vulnerabilities, attributing the observed attacks to a China-linked threat actor tracked as UNC5221.
Known for the targeting of zero-day flaws in edge devices since at least 2023, the espionage group has been observed exfiltrating large volumes of data from vulnerable appliances, including personally identifiable information (PII), credentials, and other sensitive information.
Since May 15, the hacking group has been targeting vulnerable internet-facing EPMM instances against aviation, defense, finance, local government, healthcare, and telecommunications organizations, to exfiltrate files containing core operational data and gain visibility into managed devices.
Targets identified by EclecticIQ include one of Germany’s largest telecommunications providers, a cybersecurity firm, a US-based firearms manufacturer, and a multinational bank in South Korea.
“Given EPMM’s role in managing and pushing configurations to enterprise mobile devices, a successful exploitation could allow threat actors to remotely access, manipulate, or compromise thousands of managed devices across an organization,” EclecticIQ notes.
As part of the attacks, UNC5221 deployed FRP (Fast Reverse Proxy), an open source tool that establishes a reverse SOCKS5 proxy for persistent access, and KrustyLoader, which is typically used to deploy a Sliver backdoor.
The hacking group was also seen using shell commands for reconnaissance and hiding its tracks in real time, “potentially using HTTP GET requests to exfiltrate the data before wiping the artifacts,” EclecticIQ says.
In previous campaigns, the threat actor was seen exploiting vulnerable Palo Alto Networks, Ivanti, and SAP appliances to deploy KrustyLoader and Sliver beacons.
“EclecticIQ assesses with high confidence that the observed Ivanti EPMM exploitation activity is very likely linked to UNC5221, a China-nexus cyber-espionage group. Infrastructure reuse and observed tradecraft closely align with previous campaigns attributed to this actor,” EclecticIQ notes.
Related: Chinese Hackers Hit Drone Sector in Supply Chain Attacks
Related: Ransomware Groups, Chinese APTs Exploit Recent SAP NetWeaver Flaws
Related: Exploited Vulnerability Puts 5,000 Ivanti VPN Appliances at Risk
Related: Government, Military Targeted as Widespread Exploitation of Ivanti Zero-Days Begins
