CP
cyberpings
Malware & RansomwareHIGH

DslogdRAT Malware Targets Ivanti Connect Secure Users

JPJPCERT/CC
DslogdRATCVE-2025-0282Ivanti Connect SecuremalwareJPCERT
🎯

Basically, a new malware called DslogdRAT is infecting systems through a security flaw in Ivanti Connect Secure.

Quick Summary

A new malware named DslogdRAT is exploiting a vulnerability in Ivanti Connect Secure. Organizations in Japan are particularly affected, risking sensitive data exposure. Immediate software updates and vigilance are crucial to protect against ongoing attacks.

What Happened

Imagine waking up to find that your home has been invaded while you were at work. That's what happened to organizations in Japan when they were targeted by a new malware called DslogdRAT. This malware was installed by exploiting a zero-day vulnerability in Ivanti Connect Secure, identified as CVE-2025-0282, during attacks in December 2024.

The attackers used a web shell, which is a type of backdoor, to execute commands on compromised systems. This web shell was written in Perl and could run arbitrary commands if certain conditions were met. Essentially, it acted as a gateway for the attackers to deploy further malware, including DslogdRAT, onto the infected machines.

Why Should You Care

If you use Ivanti Connect Secure or work for an organization that does, this is a serious issue. Your sensitive information could be at risk. Imagine if someone could access your bank account or personal files without you knowing. That's the level of threat posed by malware like DslogdRAT. It operates stealthily, only communicating with its command and control (C2) server during business hours to avoid detection.

This isn't just a problem for large organizations; it could affect anyone who relies on this software for secure connections. The risk is real, and it’s time to take action. If this malware can infiltrate networks, it can lead to data breaches, financial loss, and a damaged reputation.

What's Being Done

In response to these attacks, JPCERT/CC has issued an alert regarding the vulnerability in Ivanti Connect Secure (CVE-2025-22457). They are monitoring the situation closely, as attacks are expected to continue. Here’s what you should do right now:

  • Update your Ivanti Connect Secure software to the latest version to patch vulnerabilities.
  • Monitor your systems for any unusual activity or unauthorized access.
  • Educate your team about the risks of malware and how to recognize suspicious behavior.

Experts are keeping an eye on the ongoing campaigns and are particularly interested in whether these attacks are linked to the SPAWN malware family operated by the UNC5221 group. Stay vigilant and informed to protect your data from these evolving threats.

🔒 Pro insight: The exploitation of CVE-2025-0282 indicates a sophisticated threat landscape; expect further developments as attackers refine their tactics.

Original article from

JPCERT/CC

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Speagle Malware - Hijacks Cobra DocGuard to Steal Data

Cybersecurity experts have flagged Speagle malware, which hijacks Cobra DocGuard to steal sensitive data. Organizations using this software are at risk, highlighting the need for enhanced security measures.

The Hacker News·
HIGHMalware & Ransomware

Malware - DarkSword Tool Exposes Millions of iPhones

A new hacking tool, DarkSword, is being used by Russian hackers to exploit vulnerabilities in older iPhones. Millions of users are at risk of data theft just by visiting compromised websites. Keeping software updated is crucial for protection against this sophisticated malware.

Ars Technica Security·
HIGHMalware & Ransomware

Malware - EDR Killers Exploit Vulnerable Drivers via BYOVD

A new analysis reveals that 54 EDR killers exploit 34 vulnerable drivers using the BYOVD technique. This poses serious risks for organizations, especially during ransomware attacks. Understanding this threat is crucial for enhancing cybersecurity measures.

The Hacker News·
HIGHMalware & Ransomware

Ransomware - Interlock Exploits Cisco Zero-Day Vulnerability

A serious Cisco firewall vulnerability was exploited by the Interlock ransomware group weeks before a patch was released. This poses a major risk to many organizations. Security teams need to act fast to protect their systems from potential compromise.

CSO Online·
HIGHMalware & Ransomware

Android Malware - New Threat Hides in Streaming Apps

A new Android malware named Perseus is hiding in streaming apps to steal passwords and spy on personal notes. Users in Turkey and Italy are primarily affected. This poses a significant risk to personal data security. Stay vigilant and protect your devices.

The Record·
HIGHMalware & Ransomware

Ransomware - Affiliate Exposes 'The Gentlemen' Operation Details

A ransomware affiliate leaked vital details about 'The Gentlemen' operation, revealing their tactics and internal conflicts. This poses significant risks for targeted organizations. Cybersecurity experts urge immediate action to mitigate potential threats.

Infosecurity Magazine·