The SPAWNCHIMERA malware family has been making headlines recently after being identified as exploiting the buffer overflow vulnerability known as CVE-2025-0282 in Ivanti Connect Secure, as confirmed by JPCERT/CC.
This vulnerability, which was disclosed in January 2025, had already been actively exploited since late December 2024, before its public announcement. The malicious software, an evolved variant of the SPAWN family, incorporates various advanced features to boost its capabilities and avoid detection.
One of the most intriguing aspects of SPAWNCHIMERA is its ability to dynamically patch the CVE-2025-0282 vulnerability. This unique feature allows the malware to mitigate the flaw that arises from the improper use of the strncpy function by hooking the function and limiting the copy size to 256 bytes. The patch is only activated under specific conditions, such as when the process name is “web,” preventing other attackers from exploiting the vulnerability and thwarting attempts by proof-of-concept (PoC) tools to scan for the vulnerability.
Furthermore, SPAWNCHIMERA has altered its inter-process communication method by switching from using local port 8300 to UNIX domain sockets. This change routes malicious traffic between processes via a covert path (/home/runtime/tmp/.logsrv), making it significantly more challenging to detect using conventional network monitoring tools like netstat. According to a report by JPCERT, this modification underscores SPAWNCHIMERA’s emphasis on evading detection while maintaining its robust functionality.
In an effort to enhance its stealth capabilities, SPAWNCHIMERA encodes its SSH private key within the malware sample itself, decoding it dynamically during runtime using an XOR-based function. The malware has also replaced hardcoded traffic identifiers with a calculation-based decode function to determine malicious traffic, removing debugging messages present in earlier versions to complicate analysis and diminish opportunities for detection during reverse engineering.
The incorporation of these advanced features illustrates the evolution of SPAWNCHIMERA into a more sophisticated threat. By combining exploitation capabilities with mitigation mechanisms such as vulnerability fixing, the malware not only ensures its continuation but also disrupts the endeavors of competing threat actors.
The changes observed in SPAWNCHIMERA highlight a growing trend where malware creators integrate defensive techniques to fortify their presence within compromised systems. Organizations utilizing Ivanti Connect Secure are strongly advised to promptly apply patches provided by the vendor and stay vigilant for any indications of compromise.
Enhanced detection methods that focus on behavioral analysis rather than static signatures may be essential to effectively identify threats like SPAWNCHIMERA. As the cybersecurity landscape continues to evolve, staying ahead of emerging threats like SPAWNCHIMERA remains a paramount concern for organizations and security professionals alike.
In conclusion, the emergence of malware like SPAWNCHIMERA underscores the importance of continual vigilance and proactive measures to mitigate cybersecurity risks in an ever-changing digital landscape.