Security researchers at JPCERT/CC recently uncovered a new wave of cyber attacks targeting Ivanti Connect Secure VPN devices, showcasing a sophisticated malware strain named DslogdRAT. This stealthy malware was discovered alongside a simple yet effective Perl web shell, shedding light on the evolving landscape of cyber threats in the digital realm.
The discovery of these infections occurred during a meticulous forensic investigation into the exploitation of CVE-2025-0282, a zero-day vulnerability that was exploited in attacks on Japanese organizations back in December 2024. The implications of these findings paint a concerning picture of the security vulnerabilities present in widely-used VPN devices and the potential threats posed by malicious actors.
One of the key aspects of this discovery was the initial access point utilized by the attackers through a Perl-based CGI script functioning as a web shell. By employing a specific cookie value check, the script was able to execute arbitrary commands upon the validation of a predetermined token within the cookie. This backdoor provided a remote command execution capability on compromised Ivanti devices, likely serving as a conduit for the deployment of the DslogdRAT malware.
Upon activation, DslogdRAT establishes persistence through a sophisticated multi-process architecture. The malware’s core process initiates a child process that enters a persistent loop, subsequently spawning a second child responsible for facilitating command-and-control (C2) communication. Leveraging the pthread library, the malware manages a dedicated thread for communication with its remote C2 server, ensuring streamlined and covert interactions.
The communication protocol employed by DslogdRAT involves retrieving configuration data, managing sockets, and processing commands received from the attacker. The analysis conducted by JPCERT/CC revealed that C2 communications are XOR-encoded in 7-byte blocks, incorporating keys ranging from 0x01 to 0x07 to obfuscate the data exchange process.
Furthermore, the malware’s configuration encapsulates operational details such as designated operating hours and C2 server specifications. DslogdRAT is programmed to operate exclusively between 8:00 AM and 2:00 PM, a strategic maneuver aimed at blending in with normal business activities and evading detection mechanisms. The malware’s design underscores a deliberate effort to avoid scrutiny and maintain a persistent presence within compromised systems.
With a diverse range of capabilities, DslogdRAT can execute file transfers, shell operations, and serve as a proxy tunnel for lateral movement or data exfiltration. The malware’s support for various command values underscores its versatility in carrying out malicious activities while evading detection measures.
In a notable observation, researchers also noted the presence of the SPAWNSNARE backdoor on the same compromised systems, hinting at potential toolset sharing or coordination among threat actors. The concurrent existence of multiple malware strains underscores the complexity and interconnected nature of cyber threats in the contemporary landscape.
As a response to these concerning developments, JPCERT/CC and U.S. CISA have issued security advisories highlighting vulnerabilities affecting Ivanti Connect Secure, particularly CVE-2025-22457. Organizations utilizing Ivanti Connect Secure are strongly advised to promptly apply available patches, conduct thorough forensic reviews of their appliances, and monitor for indicators of compromise to mitigate risks associated with these vulnerabilities.
The emergence of DslogdRAT represents a sophisticated and disciplined approach to exploiting zero-day flaws in Ivanti systems, emphasizing the evolving tactics employed by malicious entities in the cyber domain. As defenders navigate this intricate threat landscape, prioritizing threat hunting and network segmentation becomes imperative to thwart potential lateral movement and safeguard critical assets from exploitation.