Cybersecurity experts have highlighted the latest threat posed by DslogdRAT malware, currently exploiting a severe security flaw in Ivanti Connect Secure (ICS) systems, known as CVE-2025-0282. Initially identified in December by a Chinese cyber espionage group labeled UNC5337, the vulnerability was primarily used to breach organizations in Japan. This zero-day flaw allowed for unauthorized remote code execution, prompting immediate concern among global cybersecurity circles.
In addition to DslogdRAT, other malware like DRYHOOK and PHASEJAM have utilized this ICS vulnerability. While these additional strains have yet to be linked to a specific threat actor, JPCERT/CC and CISA reported similar exploitations leading to variations in the SPAWN malware family. Nonetheless, investigators have not definitively connected the deployment of DslogdRAT to SPAWN’s operations by group UNC5221.
An in-depth analysis of attack patterns reveals the exploitation involved using a Perl web shell to install DslogdRAT, which connects to an external server for command execution and file transfer. Recently, there was a marked increase in suspicious activity involving ICS and Ivanti Pulse Secure appliances, suggesting a potentially coordinated attack sequence. GreyNoise flagged significant malicious activity originating from over 270 distinct IP addresses, igniting concerns over systematic reconnaissance possibly leading to further exploitation. The situation emphasizes the importance of monitoring and reinforcing cybersecurity defenses to mitigate future risks effectively.
