Hackers exploiting the critical Ivanti Connect Secure zero-day vulnerability disclosed yesterday installed on compromised VPN appliances new malware called ‘Dryhook’ and ‘Phasejam’ that is not currently associated with any threat group.
The security issue, now tracked as CVE-2025-0282 is a critical stack-based buffer overflow flaw that impacts Ivanti Connect Secure 22.7R2.5 and older, Ivanti Policy Secure 22.7R1.2 and older, and Ivanti Neurons for ZTA gateways 22.7R2.3 and older.
Although the flaw has a broad impact, the vendor specified that attacks were only observed against Connect Secure appliances while also noting that the number of affected customers is “limited.”
According to cybersecurity company Mandiant (now part of Google Cloud), attackers started leveraging the vulnerability since mid-December and used the custom Spawn malware toolkit.
The malicious framework is typically associated with a suspected China-linked espionage that the company tracks as UNC5337 and is likely part of a larger cluster tracked as UNC5221.
However, the previously unknown ‘Dryhook’ and ‘Phasejam’ malware families found on some compromised appliances are not attributed to any threat group at this time.
Attack chain and new malware
Mandiant’s report informs that the attacker sent HTTP requests to specific URLs to identify ICS appliance versions. To hide the origin, the threat actor passed the requests through VPS providers or Tor networks.
Next, they exploited CVE-2025-0282 to gain initial access, disabled SELinux protections, modified iptables rules to prevent syslog forwarding, and remounted the drive as ‘read-write’ to allow malware deployment.
The researchers say that the hackers launched the Phasejam dropper, which that deploys a web shell to compromised components such as ‘getComponent.cgi’ and ‘restAuth.cgi,’ while also overwriting system files to allow command execution.
Commands supported by the web shell
Commands supported by the web shell
Source: Mandiant
The hackers also modified the upgrade script ‘DSUpgrade.pm’ to block real upgrades and simulate a fake upgrade process, so the malware would persist on the system.
The attackers also install ‘Spawn’ tools like Spawnmole (tunneler), Spawnsnail (SSH backdoor), and Spawnsloth (log tampering utility), which, unlike the Phasejam web shell, can persist across system upgrades.
Both Spawn malware and the new threata tried to evade Ivanti’s Integrity Checker Tool (ICT) by recalculating the SHA256 file hashes for the malicious files so they passed verification.
“SPAWNANT is careful to circumvent the ICT by recalculating the SHA256 hash for any maliciously modified files. Once the appropriate modifications are complete, SPAWNANT generates a new RSA key pair to sign the modified manifest.” – Mandiant
The hackers goal appears to be stealing databases in the appliance that typically contain sensitive information related to “VPN sessions, session cookies, API keys, certificates, and credential material.”
“Mandiant has observed the threat actor archiving the database cache on a compromised appliance and staging the archived data in a directory served by the public-facing web server to enable exfiltration of the database,” explain the researchers.
Finally, the threat actors use a new piece of malware called Dryhook to capture usernames and passwords during standard authentication processes and store them in base64-encoded form for future retrieval.
Code that generates a fake upgrade screen
Code that generates a fake upgrade screen
Source: Mandiant
Defense measures
System administrators are recommended to perform a factory reset and upgrade to Ivanti Connect Secure 22.7.R2.5, even if internal and external ICT scans find no signs of malicious activity.
Mandiant has also shared a list of indicators of compromise (IoCs) along with YARA rules to help detect suspicious activity associated with this campaign.
According to Macnica researcher Yutaka Sejiyama, there were over 3,600 ICS appliances exposed on the public web when Ivanti released a patch for the vulnerability.
The researcher told BleepingComputer that the number has now dropped to about 2,800, so there’s still a significant attack surface that remains exposed to attacks.
