Discovered between December 2024 and July 2035, this attack exploits two security vulnerabilities in the ICS to infect and spread dangerous malicious codes such as Cobalt Strike, VShell and Fscan:
MDifyLoader is a loader designed to load other malware into the system’s memory. The software is based on the open source libPeConv project and performs the download and decryption of an encrypted Cobalt Strike Beacon payload.
Download and decode MDifyLoader: Once access is granted, the MDificateLOader is loaded into memory, loading an encrypted Cobalt Strike Beacon payload.
Lateral movement: After gaining access to the system, hackers perform brute-force attacks on FTP, MS-SQL and SSH to steal passwords and data.
Cobalt Strike is a powerful tool, commonly used in cyberattacks to remotely control systems and deploy complex attack operations. The Cobalt Strike Beacon can allow hackers to maintain access to an infiltrated system and perform stealth activities that the user is unaware of.
Taking advantage of other tools: Tools such as VShell and Fscan are used to maintain control and scan additional network devices to expand the range of attacks.
VShell: A remote control tool (RAT) written in Go, used to maintain access to the system. VShell checks the system language to determine if it is a Chinese user, before taking action.
Fscan: A network scanning tool written in Go, which helps hackers scan devices and systems in a network to search for vulnerabilities and expand the range of attacks.
The attack process can be described as follows: The vulnerability in Ivanti Connect Secure (ICS), a VPN device widely used in businesses, is the starting point for this attack sequence. The following two serious security vulnerabilities have been exploited by hackers:
-
CVE-2025-0282: This is a vulnerability that allows remote code execution without authentication. The breach was discovered and patched by Ivanti in January 2025.
-
CVE-2025-22457: This vulnerability is related to stack buffer overflow, allowing arbitrary code execution, and was patched in April 2015.
Hackers exploited the CVE-2025-0282 and CVZ-22457 security vulnerabilities in Ivanti Connect Secure devices to infiltrate organizations’ internal networks. Both of these vulnerabilities have been exploited by hackers as zero-day vulnerabilities. This means that organizations have not patched up the holes when they are exploited in actual attacks.
This attack posed many major threats to the organizations:
-
Data loss risk: Hackers can steal sensitive data like login information, financial data, or even customer data.
-
System appropriation: Organizations can lose control of the system and face the risk of further attacks.
-
Business Execution: Being attacked can disrupt business operations, causing time and cost to recover.
-
Leaving the door open for the following attacks: Hackers can install backdoors or hidden accounts in the system, helping them maintain long-term access even when other security measures are taken.
-
Software updates and security patches: Ensuring that all security patches, especially for Ivanti Connect Secure, are applied in a timely manner.
-
Network system checks and protection: It is necessary to scan and secure the system to detect signs of malware, such as Cobalt Strike or VShell.
-
Use strong authentication methods: Apply Multi-factor authentication (MFA) to minimize the risk of an account being attacked.
-
Systems behavioral monitoring: Deploying network and system monitoring tools to detect abnormal activity or signs of intrusion.
