The attacks, occurring around December 2024, leveraged CVE-2025-0282 to deploy multiple malicious tools, including a custom malware called DslogdRAT and a specially crafted web shell. This technique, while not highly sophisticated, provides sufficient obfuscation to avoid basic network traffic analysis while supporting multiple command functions including file transfers, shell command execution, and proxy capabilities. After compromising the VPN appliances, attackers installed a Perl-based web shell that served as an initial foothold, enabling them to deploy additional malware components including DslogdRAT. This code allows attackers to execute arbitrary commands by simply sending HTTP requests with a specific cookie value “DSAUTOKEN=af95380019083db5” and including the command to run in the “data” parameter. In addition to DslogdRAT, researchers also identified another malware variant called SPAWNSNARE on the same compromised systems, indicating a coordinated and well-resourced attack operation. Security experts warn that these attacks represent an ongoing threat, with Ivanti Connect Secure products remaining a high-value target. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This calculated approach helped attackers blend their malicious traffic with legitimate business operations, significantly reducing the chances of detection while maintaining persistent access to compromised environments. Recent attacks against Japanese organizations have revealed sophisticated hackers exploiting a zero-day vulnerability in Ivanti Connect Secure VPN appliances. JPCERT analysts identified that the DslogdRAT malware was designed with specific evasion capabilities, notably operating only during business hours between 8:00 AM and 8:00 PM. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. These tools allowed attackers to establish persistent access to compromised systems and execute arbitrary commands remotely. This process isolation technique helps bypass security solutions that monitor single-process behaviors or that terminate when parent processes end. The threat actors demonstrated advanced capabilities by chaining the zero-day exploit with custom malware deployment techniques. The straightforward nature of this backdoor highlights how even simple code can create significant security breaches when deployed in critical infrastructure. The first child process then decodes XOR-encrypted configuration data (using 0x63 as the key) and spawns a second child process containing the core functionality. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 24 Apr 2025 14:10:11 +0000