Critical Alert: JPCERT Uncovers DslogdRAT Malware Exploiting Ivanti Connect Secure Vulnerability

TL;DR

• New Malware Identified: JPCERT/CC researchers discovered DslogdRAT malware exploiting a zero-day vulnerability in Ivanti Connect Secure.
• Vulnerability Details: The flaw, tracked as CVE-2025-0282, affects multiple Ivanti products and allows remote code execution.
• Attack Vector: Attackers used a Perl-based CGI web shell to execute arbitrary commands and deploy DslogdRAT.
• Mitigation: The vulnerability has been patched, and users are advised to update their systems immediately.

Critical Alert: JPCERT Uncovers DslogdRAT Malware Exploiting Ivanti Connect Secure Vulnerability

Researchers from JPCERT/CC have identified a new malware strain, dubbed DslogdRAT, which was deployed by exploiting a now-patched vulnerability in Ivanti Connect Secure (ICS). This discovery highlights the ongoing threat of cyber attacks targeting enterprise security solutions.

Vulnerability Overview

The vulnerability, designated as CVE-2025-0282, is a stack-based buffer overflow affecting several Ivanti products:

• Ivanti Connect Secure before version 22.7R2.5
• Ivanti Policy Secure before version 22.7R1.2
• Ivanti Neurons for ZTA gateways before version 22.7R2.3

With a CVSS score of 9.0, this critical flaw allows unauthenticated attackers to achieve remote code execution and authenticated users to escalate privileges.

Timeline of Events

• December 2024: JPCERT/CC researchers first observed attacks on Japanese organizations using the zero-day vulnerability to deploy DslogdRAT and a web shell.
• January 2025: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0282 to its Known Exploited Vulnerabilities (KEV) catalog.
• March 2025: Microsoft warned that the China-backed APT group Silk Typhoon, linked to the U.S. Treasury hack, was targeting global IT supply chains using this vulnerability.

Attack Methodology

Attackers utilized a Perl-based CGI web shell that checked for a specific DSAUTOKEN cookie value. If matched, the shell executed arbitrary commands via the system function, likely deploying DslogdRAT malware.

“This Perl script is executed as a CGI and retrieves the Cookie header from incoming HTTP requests. If the value of DSAUTOKEN= matches af95380019083db5, the script uses the system function to execute an arbitrary command specified in the request parameter data.” ¹

DslogdRAT Malware Analysis

DslogdRAT operates by spawning two child processes:

1. Idle Process: Enters a loop routine with sleep intervals, remaining active indefinitely.
2. Core Functionality Process: Handles C2 communication and command execution using the pthread library.

The malware’s configuration is XOR-encoded and hardcoded, designed to operate only during typical business hours (8 AM to 8 PM) to evade detection. It uses socket connections with XOR encoding for C2 communication, sending basic host information initially and supporting proxy functionality, file upload/download, and shell command execution.

Additional Threats

JPCERT/CC also detected another malware, SPAWNSNARE, in the compromised systems. This malware was previously reported by CISA and Google in April 2025.

Mitigation and Recommendations

Users are strongly advised to update their Ivanti products to the latest versions to mitigate the risk associated with CVE-2025-0282. Regular security audits and monitoring for unusual activity are also recommended to detect and respond to potential threats promptly.

Conclusion

The discovery of DslogdRAT malware exploiting the Ivanti Connect Secure vulnerability underscores the importance of timely patching and vigilant security practices. As cyber threats continue to evolve, organizations must remain proactive in their defense strategies to safeguard against such attacks.

Additional Resources

For further insights, check:

• JPCERT/CC Report on DslogdRAT
• CISA Known Exploited Vulnerabilities Catalog
• Microsoft Security Blog

References

1. JPCERT/CC (April 2025). “JPCERT warns of DslogdRAT malware deployed in Ivanti Connect Secure”. Security Affairs. Retrieved 2025-04-26. ↩︎