The US cybersecurity agency CISA on Friday published its analysis of the malware used by Chinese hackers in attacks exploiting an Ivanti Connect Secure zero-day patched in January 2025.
The issue, tracked as CVE-2025-0282 (CVSS score of 9.0), is described as a stack-based buffer overflow enabling attackers to execute arbitrary code remotely, without authentication.
Ivanti announced patches for the bug on January 8, warning of its active exploitation. The next day, Mandiant revealed that it had been exploited in the wild since December 2024, by a China-linked espionage group tracked as UNC5221.
The threat actor, known to have targeted other Ivanti VPN vulnerabilities before, exploited CVE-2025-0282 to deploy malware from the Spawn family, which includes the SpawnAnt installer, the SpawnMole tunneler, and the SpawnSnail SSH backdoor.
On February 20, JPCERT/CC revealed that multiple threat actors had already been targeting the vulnerability, confirming that some of the attacks featured a new member of the Spawn malware family, tracked as SpawnChimera.
According to JPCERT/CC, SpawnChimera contains updated iterations of SpawnAnt, SpawnMole, and SpawnSnail. The malware can be injected into various processes, running in each of them, and contains a function to patch CVE-2025-0282.
On March 28, CISA released its own analysis of malware collected from an instance of CVE-2025-0282 exploitation, which it tracks as Resurge, and which was dropped on the compromised Ivanti Connect Secure device as a Linux share library named ‘libdsupgrade.so’.
“The file contains capabilities of a rootkit, dropper, backdoor, bootkit, proxy, and tunneler. The file shares similar functionality to SpawnChimera malware; however, this file contains a series of commands that modify files, manipulates integrity checks, and creates a web shell that is copied to the running Ivanti boot disk,” CISA notes.
Similar to SpawnChimera, Resurge checks whether it is loaded by a program called ‘web’ or ‘dsmdm’, to hook accept and strncpy functions and create a proxy for tunneling, or to create a thread for a secure shell via SSH.
It also contains a series of commands to set up a web shell for remote command execution, tamper with the coreboot RAM disk, and run sed commands to modify two Python files. The malware sets up persistence by inserting itself into the ‘ld.so.preload’ file.
CISA also notes that the analyzed sample contained a variant of the SpawnSloth malware, which can modify Ivanti device logs. It was dropped on the compromised device as ‘liblogblock.so’.
A third malicious file used in the attack, named ‘dsmain’, is a 64-bit Linux executable containing an open source shell script and applets from BusyBox, which were used to extract a kernel image and to download and execute payloads, respectively.
Related: Many Ivanti VPNs Still Unpatched as UK Domain Registry Emerges as Victim of Exploitation
Related: CISA Warns of Ivanti EPM Vulnerability Exploitation
Related: PoC Exploit Published for Critical Ivanti EPM Vulnerabilities
Related: FBI/CISA Share Details on Ivanti Exploits Chains: What Network Defenders Need to Know
