Two critical bugs open the door

Security teams who thought they were safe after January’s and April’s patch cycles may need to take another look. Researchers at Japan’s computer emergency response team, JPCERT/CC, have confirmed that attackers are chaining two separate Ivanti Connect Secure vulnerabilities – CVE‑2025‑0282 and CVE‑2025‑22457 – to gain a foothold on corporate networks. The first bug allows unauthenticated remote code execution, while the second is a stack‑based buffer overflow that also leads to full compromise. Both carry “critical” CVSS scores hovering around 9.0 and were officially fixed months ago, yet un‑patched appliances remain in the wild.

From zero‑day to full‑scale campaign

JPCERT says exploitation started quietly in December 2024 and has continued through July 2025, often surfacing as zero‑day activity before Ivanti issued its public advisories. During that window, intruders shifted from dropping previously known families such as SPAWNCHIMERA and DslogdRAT to a brand‑new loader dubbed MDifyLoader, signalling a maturing toolkit. Independent coverage by The Hacker News backs up the timeline, noting that the same pair of flaws is now central to a sustained campaign rather than an isolated smash‑and‑grab.

Meet MDifyLoader, the custom bridge to Cobalt Strike

MDifyLoader is no ordinary dropper. Built on top of the open‑source libPeConv framework, it arrives on disk through a classic DLL side‑loading trick, masquerading as a benign library next to a legitimate Windows executable. Once launched, the loader pulls in an encrypted blob, deciphers it with RC4, and spawns a Cobalt Strike Beacon version 4.5 straight into memory, leaving minimal artefacts for endpoint tools to catch. Obfuscation is heavy: junk instructions litter the binary and the RC4 key is derived from the MD5 hash of a companion file, a design choice aimed at frustrating quick static analysis.

Go‑based helpers extend the attacker’s reach

The operation does not stop with Beacon. Analysts traced the deployment of VShell, a remote‑access tool written in Go, and Fscan, a Go‑based network scanner. Both programs have turned up repeatedly in campaigns attributed to China‑nexus actors over the past year. Interestingly, VShell still carries code that checks whether the host language is set to Chinese; investigators observed multiple failed execution attempts before the intruders found a build that would run on non‑Chinese systems, suggesting a hurried repackaging of an internal test version. Fscan, on the other hand, is injected in a completely fileless manner through another custom DLL that borrows routines from FilelessRemotePE.

Moving sideways and digging in

Once inside the perimeter, the adversaries move aggressively. Logs show brute‑force attempts against FTP, MS‑SQL and SSH endpoints, followed by scans for the EternalBlue SMB flaw (MS17‑010) to hop between servers. With harvested credentials in hand, they pivot over RDP and SMB to spread their toolkit. Persistence is maintained by creating new domain accounts that blend with normal user naming conventions and then enrolling those accounts in existing security groups. The malware itself is registered as a Windows service or tied to a scheduled task so that a simple reboot will not shake the attackers loose.

Why the patches alone are not enough

Ivanti issued fixes for CVE‑2025‑0282 in early January and for CVE‑2025‑22457 in mid‑April, but field reports show many appliances are still lagging behind. Analysts at Mandiant have already linked earlier waves of exploitation to Chinese state actors, and JPCERT warns that the same infrastructure is now delivering MDifyLoader. The speed with which threat groups reverse‑engineer vendor patches and build working exploits underlines the need for continuous monitoring and rapid remediation, not one‑off patch sprints.

A layered defence still matters

The latest incidents highlight two repeating lessons. First, VPN gateways and other edge devices remain high‑value targets because they sit outside traditional monitoring zones yet hold the keys to everything behind them. Second, once that outer layer falls, attackers exploit classic Windows mis‑configurations – weak passwords, stale protocols, and broad lateral movement rights – to turn a single foothold into enterprise‑wide access. Hardening the edge must therefore go hand‑in‑hand with network segmentation, privileged‑access management and enforced multi‑factor authentication inside the LAN.

What security teams should do today

Administrators should immediately verify that every Connect Secure, Policy Secure or ZTA gateway is running the versions that Ivanti marked as safe: 22.7R2.6 or later for CVE‑2025‑22457, and 22.7R2.5 or newer for CVE‑2025‑0282. Where upgrades are not feasible, traffic should be funnelled through mitigating controls, and devices ought to be monitored for any signs of suspicious DLL side‑loading or Cobalt Strike beacons. JPCERT also recommends auditing domain accounts created since late December 2024 and scanning internal hosts for tools compiled in Go, a tell‑tale of this particular playbook. With MDifyLoader now out in the open, delaying these steps could leave an easy opening for the next wave of intruders.