Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware

May Be Interested In:Israeli hostages released as Gaza ceasefire takes hold



Networks protected by Ivanti VPNs are under active attack by well-resourced hackers who are exploiting a critical vulnerability that gives them complete control over the network-connected devices.

Hardware maker Ivanti disclosed the vulnerability, tracked as CVE-2025-0283, on Wednesday and warned that it was under active exploitation against some customers. The vulnerability, which is being exploited to allow hackers to execute malicious code with no authentication required, is present in the company’s Connect Secure VPN, and Policy Secure & ZTA Gateways. Ivanti released a security patch at the same time. It upgrades Connect Secure devices to version 22.7R2.5.

Well-written, multifaceted

According to Google-owned security provider Mandiant, the vulnerability has been actively exploited against “multiple compromised Ivanti Connect Secure appliances” since December, a month before the then zero-day came to light. After exploiting the vulnerability, the attackers go on to install two never-before-seen malware packages, tracked under the names DRYHOOK and PHASEJAM on some of the compromised devices.

PHASEJAM is a well-written and multifaceted bash shell script. It first installs a web shell that gives the remote hackers privileged control of devices. It then injects a function into the Connect Secure update mechanism that’s intended to simulate the upgrading process.

“If the ICS administrator attempts an upgrade, the function displays a visually convincing upgrade process that shows each of the steps along with various numbers of dots to mimic a running process,” Mandiant said. The company continued:

PHASEJAM injects a malicious function into the /home/perl/DSUpgrade.pm file named processUpgradeDisplay(). The functionality is intended to simulate an upgrading process that involves 13 steps, with each of those taking a predefined amount of time. If the ICS administrator attempts an upgrade, the function displays a visually convincing upgrade process that shows each of the steps along with various numbers of dots to mimic a running process. Further details are provided in the System Upgrade Persistence section.

The attackers are also using a previously seen piece of malware tracked as SPAWNANT on some devices. One of its functions is to disable an integrity checker tool (ICT) Ivanti has built into recent VPN versions that is designed to inspect device files for unauthorized additions. SpawnAnt does this by replacing the expected SHA256 cryptographic hash of a core file with the hash of it after it has been infected. As a result, when the tool is run on compromised devices, admins see the following screen:

share Share facebook pinterest whatsapp x print

Similar Content

2025 officially marks the transition from Gen Alpha to Gen Beta
2025 officially marks the transition from Gen Alpha to Gen Beta
John Rustad.
Conservative firebrand prepares to rumble in B.C.
Guide Helps Australian Workers Expose Tech Wrongdoings
Guide Helps Australian Workers Expose Tech Wrongdoings
MSO 2024 Home for Mac or PC
Should you buy Microsoft Office 2024 or subscribe to Microsoft 365?
UK house price predictions for 2025: with pay rising and rates falling, they’ll just keep going up
UK house price predictions for 2025: with pay rising and rates falling, they’ll just keep going up
Dramatically lit studio shot of a scene from The Verge’s “Friend or Faux?” feature.
One creator talks visualizing AI companionship
The News Revolution: Where the World Connects | © 2025 | Daily News