Ivanti VPNs are under active attacks as sophisticated threat groups leverage a critical vulnerability to take control of network-connected devices. The breach centers on Ivanti’s Connect Secure VPN and extends to Policy Secure and ZTA Gateways, with a patch released to address the flaw. The exploit enables attackers to run malicious code without authentication, giving them full control over affected devices and the networks they guard. This evolving campaign has been described as well-funded and highly targeted, underscoring the need for urgent vigilance and comprehensive remediation by organizations relying on Ivanti’s VPN solutions.
Vulnerability details, affected products, and the patch
The core vulnerability, identified as CVE-2025-0282, was disclosed by Ivanti on a Wednesday and promptly acknowledged as being actively exploited against certain customers. The flaw resides in Ivanti Connect Secure VPN, along with its Policy Secure and Zero Trust Architecture (ZTA) Gateways. The nature of the vulnerability allows attackers to execute arbitrary code on unpatched devices without requiring any form of authentication, thereby bypassing standard security checks and enabling deep compromise of networked systems. Ivanti responded by releasing a security patch simultaneously with the public disclosure, upgrading Connect Secure devices to version 22.7R2.5 to close the vulnerability channel. This immediate patch was critical to preventing further exploitation, but it also highlighted the seriousness of the exposure and the attackers’ rapid adoption of the vulnerability once it was publicly known.
Independent threat intelligence providers corroborated the severity and speed of exploitation. Google-owned Mandiant reported that the vulnerability had been actively exploited against multiple compromised Ivanti Connect Secure appliances since mid-December, roughly three weeks before the vulnerability came to light publicly as a zero-day. This timing indicates a proactive, real-world operation in which attackers diversified their foothold before a formal disclosure, maximizing the potential impact on vulnerable deployments. The fact that the breach persisted across multiple devices suggests a scalable attack framework designed to infiltrate and persist within enterprise VPN ecosystems, creating an ongoing risk for data, credentials, and communications that traverse the VPN perimeter.
The patch itself is part of Ivanti’s broader response to the incident. By elevating affected Connect Secure devices to version 22.7R2.5, Ivanti aims to remediate the core flaw and reduce the likelihood of additional exploit attempts succeeding on unpatched systems. Organizations deploying Ivanti VPNs are urged to apply the update promptly, perform post-patch validation to ensure the integrity of the VPN gateway services, and continue monitoring for any unusual activity that could indicate residual compromise or post-exploit behaviors. While the patch addresses the direct vulnerability, the broader threat landscape around post-exploitation activity—such as persistence mechanisms and data exfiltration attempts—requires ongoing detection, monitoring, and containment measures to fully restore secure operations.
The vulnerability’s impact is not limited to immediate compromise. The attackers’ subsequent actions demonstrate a sophisticated approach that combines initial access with stealthy post-exploitation behaviors and persistence across system upgrades. This multi-stage operation complicates detection and containment, as adversaries seek to minimize visible indicators of compromise while maintaining the ability to exfiltrate sensitive data and maintain control over compromised devices. Given the high privilege level of the access and the steady expansion of the threat actors’ capabilities, organizations should view the CVE-2025-0282 incident as a reminder of the importance of rapid patch deployment, layered security monitoring, and robust incident response practices in VPN environments.
In practice, organizations should treat the patch as a critical prerequisite for regaining a secure posture, but not a complete remedy. Patch deployment must be accompanied by comprehensive validation that the devices have indeed updated to the recommended version, and a verification process to confirm that no known post-exploitation tools or modifications remain present on affected appliances. The broader security program should incorporate continuous integrity checks, anomaly detection in VPN sessions, and a renewed emphasis on least-privilege configurations and strong authentication for VPN access. In the current threat environment, merely applying a patch without a broader containment and monitoring strategy could leave an organization exposed to residual threats that were already introduced during the window of vulnerability.
Ivanti’s guidance also emphasizes that the ICT (Integrity Check Tool) is a valuable resource for detecting infections, but it is not a stand-alone solution. Administrators must exercise due diligence when interpreting ICT results, since the tool’s effectiveness depends on correctly distinguishing genuine system states from tampered states and post-exploitation artifacts. The vulnerability and its exploitation thus illustrate the critical interplay between patching, detection, and response in modern VPN security, and they underscore why defenders should coordinate across multiple security controls, including proactive monitoring, host integrity checks, and network-level detection of unusual VPN behavior and credential use patterns.
To summarize this section: CVE-2025-0282 affects Ivanti Connect Secure VPN, Policy Secure, and ZTA Gateways, with exploitation observed in the wild since mid-December before the vulnerability’s disclosure. Ivanti issued a patch upgrading Connect Secure devices to 22.7R2.5. Security researchers, particularly Mandiant, have documented the active exploitation and the emergence of sophisticated post-exploit malware. The patch is essential but must be complemented by vigilant detection and post-exploitation defense measures to prevent recurrence and limit damage.
In-the-wild exploitation: timeline, compromise, and initial footholds
The in-the-wild exploitation of the vulnerability has unfolded as a multi-stage operation designed to maximize attackers’ foothold within targeted networks and expand control over compromised devices. Early activity indicates that the attackers leveraged the CVE-2025-0282 vulnerability to establish initial access on Ivanti Connect Secure appliances that had not yet been patched, enabling them to execute code remotely without authentication. Once inside, the attackers proceeded to deploy two previously unseen malware families, DRYHOOK and PHASEJAM, on several compromised devices. These deployments demonstrate a deliberate approach to establish backdoors, expand control, and escalate privileges in a manner designed to evade straightforward detection by standard antivirus or intrusion detection tools.
DRYHOOK and PHASEJAM function as complementary components within the attacker’s toolkit. DRYHOOK appears to serve as a supporting module that facilitates the main exploitation and backdoor operations, while PHASEJAM represents a more feature-rich and adaptable payload capable of multiple tasks. The appearance of these two distinct artifacts on compromised devices signals a sophisticated level of development and operational planning, indicating that the attackers have sophisticated capabilities and are prepared to maintain long-term access to impacted environments. The existence of such dual payloads also implies a modular approach to exploitation, where attackers can extend functionality or adapt their toolkit to evolving defensive measures or specific target environments.
PHASEJAM is described as a well-written, multifaceted bash shell script. Its initial action is to install a web shell that grants remote attackers privileged control over the compromised device. A web shell provides a persistent, remote command-and-control channel, enabling attackers to execute commands, download additional payloads, and perform ongoing reconnaissance with relative ease. However, PHASEJAM does not stop at establishing a backdoor. It proceeds to inject a function into Ivanti’s Connect Secure update mechanism, specifically designed to simulate the upgrade process. The goal of this injection is to trick the system administrator into believing that a legitimate upgrade is in progress, thereby masking ongoing malicious activity and potentially delaying detection and response.
Mandiant described a key component of PHASEJAM’s upgrade simulation as follows: the injected function creates a visually convincing upgrade sequence that displays each step of the upgrade, accompanied by a varying number of dots to mimic a running process. This crafted display is intended to mislead administrators who monitor upgrade progress screens, reducing the likelihood that they will question anomalies or verify the actual integrity of the upgrade. The function responsible for this deception is labeled processUpgradeDisplay and is inserted into a critical upgrade script pathway. The function is designed to emulate a 13-step upgrade sequence, with each step consuming a predefined amount of time. The net effect is a credible, time-delayed progression that resembles a legitimate upgrade while the attacker’s hidden payload continues to operate behind the scenes.
The PHASEJAM framework also demonstrates a broader capability in the realm of system management by making targeted modifications to the appliance’s upgrade behavior. The dual focus on both infection and deception highlights the attackers’ aim to preserve control over compromised devices while reducing the likelihood of immediate discovery. The technique of simulating an upgrade process shows the attackers’ awareness of how administrators observe routine maintenance operations and their intent to exploit this human factor to prolong the window of opportunity for data extraction or further intrusions.
Beyond the use of PHASEJAM in the upgrade path, attackers leveraged another established malware family known as SPAWNANT on some devices. SPAWNANT’s function in this campaign includes disabling an integrity-checking tool (ICT) that Ivanti has integrated into recent VPN versions. The ICT is intended to inspect device files for unauthorized changes and ensure the integrity of critical system components. SPAWNANT achieves this disruption by substituting the expected SHA-256 cryptographic hash of a core file with the hash corresponding to the compromised version of that file. As a result, when administrators or automated security checks run the ICT, they encounter a manipulated state that appears legitimate, thereby suppressing alerts about tampering and concealing evidence of the intrusion.
The consequence of this manipulation is evident in the user-facing display. The ICT appears to complete its check with three steps illustrated on the screen, which is conspicuously fewer than the ten steps that the authentic, uncompromised ICT would display. In practice, administrators face a misleading impression of a successful integrity check, while the system remains compromised and vulnerable to the attacker’s ongoing activities. A subsequent, genuine ICT scan would reveal the correct ten-step process, underscoring the inconsistency and providing a clue regarding the manipulation. The presence of a second, authentic ICT state after infection illustrates how deception can mask a compromise and delay discovery, emphasizing the importance of corroborating ICT results with additional, independent security verification methods.
The attackers’ use of SPAWNANT reinforces the broader pattern of dual-use deception and persistence that characterizes this campaign. By creating a misleading interface for integrity verification, hiding altered cryptographic states, and maintaining access across system operations, the attackers demonstrate a mature operational capability. The combination of a stealthy web shell, a fake upgrade mechanism, and an integrity-check subversion tool points to a coordinated, carefully staged intrusion designed to maximize control over the target environment while minimizing detectable indicators of compromise. The net effect is a prolonged period of covert operation that increases the risk of data exposure, credential theft, and persistent access to VPN-connected networks.
In essence, the exploitation timeline represents a multi-pronged approach: initial remote code execution without authentication, rapid deployment of a duo of bespoke malware payloads (DRYHOOK and PHASEJAM), sophisticated deception around system upgrades, and the subversion of integrity-check mechanisms through SPAWNANT. This combination enables intruders to establish footholds, extend their reach within the target network, and maintain a degree of stealth that complicates early detection. The pattern observed in the wild demonstrates a deliberate, methodical progression from vulnerability exploitation to a more persistent, data-centric intrusion operation, with a strong emphasis on evading routine security checks and masking actionable indicators of compromise.
PHASEJAM: architecture, capabilities, and stealthy upgrade spoofing
PHASEJAM stands out in this campaign for its architecture as a well-structured Bash-based payload that combines multiple capabilities into a cohesive adversarial toolset. The initial stage of PHASEJAM focuses on establishing a backdoor and ensuring the attacker has ongoing, remote access to the compromised device. The web shell delivered by PHASEJAM provides a persistent channel for command execution, data exfiltration, and further payload deployment. This web-based interface enables attackers to interact with the infected device as if they were operating locally, enabling real-time control and rapid deployment of auxiliary modules or updates as needed. The web shell’s sophistication suggests that the attackers invested significant effort to ensure reliability, stealth, and ease of use, which in turn facilitates sustained exploitation of the device.
However, PHASEJAM’s capabilities extend far beyond remote command execution. A central feature is the manipulation of the device’s update mechanism, specifically the injection of a malicious function into the update path. The injected function is designed to simulate an upgrade process to the system administrators, creating a credible illusion that legitimate maintenance is underway. The credibility of this simulated upgrade is reinforced by the careful timing and sequencing of steps, as well as the dot-based progression indicators that accompany the visual display. By aligning the fake upgrade with a plausible timeline for a real update, the attackers reduce the likelihood that administrators will question anomalies during the maintenance window.
The injected function is named processUpgradeDisplay and is placed within the Ivanti Connect Secure update mechanism. Its primary purpose is to present a 13-step upgrade process, with each step consuming a specific amount of time. The visual display includes varying numbers of dots to mimic a running process, a common indicator used to reassure operators that the upgrade is progressing normally. The net effect is a convincing deception that helps attackers maintain control over the system while the true malicious operations continue in the background. The deception layer provided by PHASEJAM’s upgrade spoofing demonstrates a nuanced understanding of operator expectations and the ways in which routine maintenance routines can be exploited to conceal unauthorized activity.
In addition to the upgrade spoofing, PHASEJAM’s architecture includes the ability to extend its operational scope via a modular approach. The bash script is structured to accommodate additional features, enabling attackers to deploy supplementary payloads or adjust existing ones as needed. This modularity implies a strategic design that anticipates evolving defensive measures and aims to preserve persistence and control in the face of threat-hunting activities. The combination of backdoor access, upgrade deception, and modular expansion makes PHASEJAM a versatile component in the attacker’s toolkit, capable of sustaining a long-running foothold in vulnerable VPN environments.
The broader implication of PHASEJAM’s design is clear: defenders must anticipate not only direct malware activity but also the behavioral deception that accompanies multi-stage intrusions. Visual upgrade simulations, combined with backdoor channels, can obscure the true state of systems and provide attackers with a window of opportunity to move laterally, collect sensitive data, and implant additional controls that extend their reach. PHASEJAM’s sophisticated approach demonstrates that modern intrusions increasingly rely on a combination of technical payloads and human-factor manipulation to achieve objective-driven outcomes without triggering rapid containment.
The detailed behavior of PHASEJAM’s upgrade-display injection reveals several important defender takeaways. First, any sudden, extended upgrade-like activity on an Ivanti Connect Secure system should raise suspicion, particularly if the upgrade progress appears unusually smooth and self-contained without the usual verification prompts or if the sequence deviates from standard upgrade scripts. Second, administrators should verify the integrity of upgrade scripts and related binaries through independent, trusted channels and verify hashes against known-good baselines, rather than relying solely on system-provided progress indicators. Third, the presence of a persistent web shell on a VPN appliance is a strong indicator of compromise, especially when combined with unusual or unexpected modifications to system scripts or update flows. In practice, organizations should implement multi-layered detection strategies that include file integrity monitoring, process auditing, and anomaly detection tailored to VPN devices and their management interfaces.
PHASEJAM’s overall contribution to the campaign is to create a dual-purpose toolset that both establishes persistent access and undermines administrators’ ability to quickly identify the compromise during routine maintenance. The fusion of a stealthy backdoor, a credible upgrade deception, and an adaptable script-based architecture demonstrates attacker sophistication and a deliberate emphasis on maintaining control while minimizing the risk of early detection. For defenders, recognizing the telltale combination of a web shell, an injected upgrade display function, and a manipulated upgrade path is crucial for enabling rapid containment and remediation, particularly in environments where VPN gateways represent a high-value target for sustained espionage and data exfiltration.
SPAWNANT: integrity-check evasion, hash tampering, and upgrade persistence
In the broader sequence of the campaign, SPAWNANT plays a pivotal role in undermining the reliability of the system’s integrity checks and in facilitating stealthy persistence during system upgrades. The malware’s primary objective is to disable Ivanti’s built-in integrity checker tool (ICT), which is designed to inspect files on the device for unauthorized alterations and tampering. SPAWNANT achieves this by replacing the expected SHA-256 hash of a core file with the hash of the infected version. This substitution effectively misleads the ICT when it runs, creating a false sense of security and allowing attackers to operate under the radar. The manipulated ICT results can misrepresent the state of the system, introducing a risk that administrators will misinterpret the device as clean when, in fact, it has already been compromised.
The display associated with this deception is instructive: the real-time ICT result screen, which would normally display a longer sequence of steps, is replaced by a shorter, three-step sequence. The three-step screen is convincing at first glance, but it is incomplete, as the authentic ICT process would reveal ten steps. The protected view of the genuine screen, which appears after the compromised screen is completed, lists ten steps. This contrast is designed to mislead administrators and to create a sense of certainty that the system has passed integrity checks, even though malicious modifications exist and persist.
SpawnAnt also demonstrates how attackers can leverage the ICT as part of a broader persistence strategy. By injecting malicious content into the upgrade process and manipulating the validation flow, the attackers manage to maintain continuity of their access even as the system undergoes legitimate upgrades. The combination of hash tampering, deceptive integrity checks, and post-exploit activity provides a robust mechanism for attackers to preserve their foothold within vulnerable devices across maintenance cycles. It is a stark reminder that even seemingly routine security measures can be subverted by skilled adversaries when they can anticipate the checks and controls that defenders rely on to detect compromise.
From a defender’s perspective, awareness of SPAWNANT’s tactics highlights several critical mitigations. Foremost, defenders should implement independent integrity verification mechanisms that are decoupled from the vendor’s ICT, ensuring cross-checking against known-good baselines and offline audit trails. Additionally, organizations should adopt a multi-directional validation approach that includes comparison against secure baselines, cross-referencing with centralized configuration management systems, and correlating upgrade activity with network telemetry to identify inconsistent patterns that accompany tampered integrity checks. Finally, it is essential to maintain a rigorous change-control and monitoring regime around upgrade procedures, including strict access controls for the upgrade path and detailed logging of upgrade-initiated actions, to reduce the risk that attackers can insert malicious code into core maintenance flows.
SpawnAnt’s persistence strategy is complemented by the attackers’ broader objective of maintaining control across system upgrades. By ensuring that the threat remains active through upgrading processes and by circumventing core security checks, the attackers create a resilient foothold that can outlast routine containment efforts. This persistence is particularly dangerous in VPN gateways, where maintenance windows are times of elevated risk but also moments of opportunity for defenders to reimage devices or to revert to known-good states. In short, SPAWNANT represents a high-risk component of the campaign, with direct implications for upgrade hygiene and post-exploitation detectability.
The combination of SPAWNANT’s HASH tampering and its role in upgrade persistence demonstrates the attackers’ intent to operate through a layered defense: they aim to disrupt the efficacy of integrity checks, ensure continued emergence of their code in upgraded environments, and prevent early detection. This strategic approach underscores why defenders cannot rely on a single line of defense, such as a hash-based check or a single verification tool. Instead, a comprehensive approach that includes cryptographic validation, integrity monitoring, and independent verification across multiple security layers is necessary to identify, disrupt, and eradicate such sophisticated post-exploitation activities.
Persistence across upgrades, dspkginstall, and signing of modified manifests
A crucial aspect of the attackers’ approach is their ability to persist across system upgrades, ensuring that their malicious components survive device reimaging, firmware updates, or replacement of the upgrade partition. A notable method employed involves hijacking the execution flow of dspkginstall, a binary that Ivanti uses during the system upgrade process. By exporting a malicious snprintf function that contains the persistence mechanism, the attackers embed a hidden capability within the upgrade procedure. This mechanism allows the threat actor to ensure that their malicious payload remains present on the device, even after an upgrade that would typically refresh core components and remove unauthorized modifications.
This persistence strategy is complemented by additional measures designed to maintain trust and operational continuity for the attackers. A further step involves circumventing the integrity checks by regenerating cryptographic material for modified files. Specifically, SpawnAnt is capable of recalculating the SHA-256 hash for any files that have been maliciously altered, thereby maintaining a consistent illusion of legitimate file integrity to standard security checks. The attackers then generate a new RSA key pair to sign the modified manifest, which bolsters the perceived legitimacy of the altered upgrade details and reduces the likelihood that signature-based defenses will flag the changes as suspicious. The combination of a manipulated upgrade path, hash recalculation, and a newly signed manifest creates a robust persistence mechanism that can endure through system maintenance cycles and updates.
The persistence across upgrades is especially concerning because it can enable the attackers to maintain control of VPN devices over extended periods. The ability to survive upgrade processes means that changes introduced during the initial intrusion can be retained and reasserted even after the targeted appliance has undergone hardware or software refreshes. The result is a durable foothold that allows attackers to continue collecting sensitive data, including VPN sessions, cached credentials, and API keys, long after the initial breach would have otherwise been remediated. This resilience emphasizes the need for a rigorous, end-to-end remediation plan that includes secure firmware validation, secure boot configurations, trusted upgrade channels, and verified digital signatures for all components involved in the upgrade process.
In addition to technical persistence, attackers aim to enhance their capability by establishing cryptographic credibility. The modified manifest, signed with a newly generated RSA key pair, helps to ensure that upgrade tooling and associated processes appear legitimate to verification checks that rely on digital signatures. This cryptographic camouflage makes it more challenging for defenders to distinguish between authentic, vendor-signed components and attacker-signed payloads, particularly in environments where automated upgrade workflows are heavily relied upon for routine maintenance. The presence of a valid, attacker-signed manifest can obscure a broader compromise and facilitate continued operation without triggering immediate alarms, leading to a more protracted incident response and remediation effort.
A practical implication for incident responders is the need to rework the upgrade verification procedures to account for such tampering. This includes ensuring that firmware and upgrade components are obtained from trusted sources, cross-validated against dedicated secure repositories, and verified with multi-factor, out-of-band checks beyond the device’s own upgrade tools. It also suggests adopting hardware-based protections such as secure boot, hardware-rooted trust anchors, and tamper-evident seals for critical components involved in the upgrade chain. By hardening the upgrade process in these ways, organizations can reduce the likelihood that attackers will be able to insert malicious changes into the upgrade flow or reuse the upgrade path as a persistent persistence mechanism.
Taken together, the dspkginstall hijack, the SHA-256 hash tampering, and the signing of modified manifests illustrate a comprehensive set of persistence techniques designed to outlast routine maintenance and device lifecycle changes. The attackers’ approach to maintain presence through upgrades and to mask the modifications with attacker-signed manifests highlights the need for defense-in-depth strategies that anticipate upgrade-related abuse and ensure the integrity of software and configuration across the entire lifecycle of VPN appliances. As organizations depend on these systems for secure remote access, the reliability and trustworthiness of upgrade processes become a crucial line of defense in preventing advanced persistent threats from taking root and persisting over time.
Data collection objectives: what attackers are after and attribution
The overarching objective of the campaign is data exfiltration and credential harvesting. After exploiting the vulnerability and establishing footholds on compromised Ivanti Connect Secure appliances, attackers aim to harvest a broad array of sensitive data, including VPN sessions, session cookies, API keys, certificates, and credential material. The accumulation of such data provides attackers with continuous access to user sessions, secure communications, and protected resources, enabling replay of authenticated activity and long-term access to critical assets. The value of this data in the attackers’ operations is significant, offering the potential for ongoing espionage, targeted surveillance, or broader campaigns against other connected systems within the organization’s network.
Mandiant attributed the attacks to two unknown groups operating with China-nexus espionage characteristics. One group is tracked as UNC5337, and a separate group, UNC5221, appears to be a subgroup of UNC5337. While the specific identities of these groups are not publicly disclosed, the attribution to China-nexus actors underscores a geopolitical dimension to the campaign and indicates strategic objectives that extend beyond immediate data exfiltration. This attribution aligns with broader patterns observed in other state-sponsored cyber operations, where the objective often extends to long-term access to sensitive corporate, government, or research networks, enabling ongoing intelligence collection and potential influence operations.
The designation of two distinct groups within the same operation signals a layered or collaborative approach to the intrusion, where multiple actors contribute different capabilities to the campaign. UNC5337 is described as a more dominant group, with UNC5221 acting as a subcomponent or affiliate, potentially handling specific tasks such as shell access, data staging, or exfiltration. This structure reflects a tactic often seen in sophisticated espionage campaigns, where a core team provides the strategic direction and back-end infrastructure, while a secondary team or affiliate handles execution, persistence, or specific operational tasks. For defenders, this attribution emphasizes the breadth and complexity of the threat, as it implies a coordinated operation with potentially cross-organization implications and a longer time horizon for detection and response.
From a defensive standpoint, the data exfiltration objective means defenders should prioritize continuous session monitoring, key-credential protection, and certificate integrity across VPN gateways. In practical terms, organizations should monitor for anomalous VPN session patterns, unusual API key or certificate usage, and unexpected access to or export of credentials from the VPN environment. Contracting a multi-disciplinary incident response approach that includes network security, endpoint security, and identity and access management teams is essential to identify, contain, and eradicate the attackers’ data collection activities. The attribution to China-nexus actors further reinforces the risk posture considerations for organizations operating in sensitive sectors or handling highly valuable data, where targeted espionage could be more likely.
Defenders should also be aware of the potential for cross-environment exploitation, where compromised Ivanti VPNs could serve as a jumping-off point for broader intrusions into enterprise networks, cloud resources, or auxiliary services that rely on VPN connectivity. The attackers’ emphasis on acquiring session data, keys, and certificates increases the likelihood that they could mount additional attacks or pivot to other access vectors, particularly if the organization’s credential hygiene, key management, and certificate lifecycles are not robustly protected. Given the importance of VPNs to modern enterprise operations, a breach of these components can have cascading effects, including parallel compromises of remote work infrastructure, cloud access, and internal systems that rely on VPN-authenticated access.
In short, the attackers’ data-focused objectives, combined with their China-nexus attribution and dual-group structure, create a high-stakes threat landscape for Ivanti VPN deployments and related networks. The emphasis on VPN session data, credentials, and certificates points to a campaign designed for sustained access and intelligence collection, with potential long-term effects that require comprehensive, coordinated defense strategies across organizational boundaries, incident response teams, and executive oversight.
Detection, response, and containment: Ivanti ICT, limitations, and recommended practices
Ivanti has recommended using its Integrity Check Tool (ICT) to detect infections and compromised devices, recognizing that the tool can be valuable in identifying certain anomalies and indicators of compromise. However, Ivanti also cautions that the ICT is not a standalone, catch-all solution. The tool provides a snapshot of the appliance’s current state, and it does not guarantee detection of threat actor activity if the device has been returned to a clean state or if the attackers have cleared or manipulated traces of compromise. Because the ICT does not scan for malware or other indicators of compromise in isolation, Ivanti recommends using it in conjunction with other security monitoring tools to create a more complete picture of post-exploitation activity. The practical takeaway is that ICT results should be cross-validated with additional monitoring solutions to ensure a robust detection posture.
Some compromised devices were discovered using the ICT, but administrators must interpret results with caution. Because attackers can disguise changes or tamper with integrity checks, a negative ICT result does not guarantee that a device is free of compromise. The ICT’s limitations mean defenders should not rely solely on its outputs, but rather should pair ICT data with other telemetry sources, such as behavioral analytics, anomaly detection, and host-based forensic indicators. In this context, a multi-layered approach to detection and response becomes essential, especially given the attackers’ use of deception, such as upgrading simulations and integrity-check evasion. The combination of these techniques can obscure the presence of intrusions and delay remediation, highlighting the importance of a holistic approach to post-exploitation hunting.
Ivanti emphasizes that, if the ICT detects an infection, administrators should perform a factory reset on the device to remove the malicious software and restore a clean baseline. While factory resets are a powerful remediation step, the attackers’ persistence mechanisms and the upgrade-preserving modifications described earlier complicate the remediation process. A factory reset may remove some components, but it may not fully eliminate the attackers’ footholds if backdoors or altered upgrade scripts survive in the upgrade chain. Consequently, organizations should implement a comprehensive remediation plan that includes reimaging or replacing the affected hardware, validating firmware integrity, reconfiguring VPN access controls, and restoring configuration from known-good backups. The remediation plan should also incorporate network segmentation and enhanced monitoring to detect any residual activity after the reset, as attackers may attempt to re-enter the environment via alternate vectors.
In addition to Ivanti’s guidance, security researchers and practitioners stress the importance of a multi-faceted approach to detection and response. This includes cross-vendor threat intelligence sharing, coordinated incident response, and the deployment of complementary detection tools that can identify post-exploitation behaviors beyond what a single tool can reveal. Organizations should review related advisories from other security vendors and regulatory agencies to gather a broader set of indicators of compromise and recommended actions. The overall strategy centers on building a strong, defense-in-depth posture that integrates patch management, vulnerability management, host-based detection, network-level monitoring, and robust incident response planning. The goal is to shorten the time between initial intrusion discovery and complete remediation, while minimizing business disruption and operational impact.
Crucially, administrators should be aware that ICT results may not always be conclusive. Some devices showing signs of compromise or successful exploitation may require deeper forensic analysis to confirm and then address. The stepwise approach to containment should consider the entire lifecycle of the affected devices, from initial discovery and isolation to the execution of a comprehensive remediation plan and subsequent monitoring for re-compromise. A coordinated effort across IT operations, security operations, and executive leadership is necessary to ensure that a robust response is carried out with appropriate oversight, resource allocation, and post-incident review to extract lessons learned for future protection.
To summarize detection and response guidance: use Ivanti’s ICT as part of a layered defense, but do not rely on it exclusively. Validate ICT findings with other monitoring tools, perform careful forensic analysis when indicators are present, and proceed with factory resets only after confirming the extent of compromise and the necessity of remediation. Implement a comprehensive upgrade verification process to prevent attacker manipulation of the upgrade chain, and enforce strict change control and security patch management for VPN appliances. Finally, consider additional measures such as hardening the client access layer, strengthening authentication for VPN access, and enhancing visibility into VPN sessions and credential use to deter future intrusions and improve the organization’s resilience against similar campaigns.
Operational and strategic implications for VPN deployments
The Ivanti VPN compromise emphasizes the importance of a robust, multi-layered security strategy for VPN deployments, particularly in environments where remote access plays a central role in daily operations. The attackers’ combination of remote code execution, backdoor deployment, upgrade deception, integrity-check evasion, and upgrade persistence demonstrates a sophisticated, multi-stage approach intended to maximize both access and stealth. This kind of threat demands more than routine patch management; it requires a comprehensive security program that aligns with modern best practices for VPN security, threat hunting, and incident response.
From a strategic perspective, organizations should implement continuous monitoring of VPN gateways to detect unusual or unauthorized activity. This includes scrutinizing VPN session patterns for anomalies such as unusual session durations, unexpected originating IP addresses, atypical access times, or anomalous API key usage associated with VPN management interfaces. It is essential to correlate VPN telemetry with authentication logs, system logs, and security event data to identify subtle, multi-faceted indicators of compromise that may not be evident through a single data source. Threat hunting should be a proactive activity, with teams looking for signs of post-exploitation behavior rather than waiting for alerts to trigger a response.
Operationally, patch management should be intensified for VPN appliances, with a clear governance process to ensure timely deployment of security updates and verification that updated devices are functioning correctly after patching. Given the attackers’ capacity to persist across upgrades, organizations should consider mechanisms to minimize downtime and risk during upgrade windows, including pre-deployment testing in isolated environments that mirror production setups, detailed rollback plans, and strict controls around upgrade scripts and binaries. This reduces the risk that an upgrade could inadvertently propagate malicious changes if a device has been previously compromised.
Security teams should also strengthen software supply chain security related to VPN devices. Because attackers may tamper with upgrade components or sign modified manifests, ensuring the integrity and provenance of all upgrade content becomes a critical control. Implementing hardware-backed trust sources, verified firmware repositories, mutual code signing enforcement, and out-of-band validation can close gaps that attackers may exploit to maintain persistence and hide their presence. The goal is to create a trustworthy upgrade environment where any attempt to inject malicious payloads can be detected and blocked before it can affect production devices.
Additionally, organizations should invest in user and administrator education about signs of compromise and the importance of timely patching. Since the campaign described involves deception around upgrade processes, administrator awareness is a key human factor in detecting anomalies early. Training should cover how to recognize abnormal upgrade prompts, how to verify upgrade authenticity, and how to escalate suspicious activity to the security team for rapid investigation. A well-informed administrative workforce is a critical line of defense against campaigns that leverage social and human factors to broaden the impact of cyber intrusions.
The broader security architecture should reflect the reality that VPN gateways represent a high-value, high-risk surface area. Implementing segmentation and least-privilege access around VPN management interfaces and the devices they protect can limit the blast radius if a compromise occurs. For example, restricting administrative access to VPN gateways to named administrators with time-bound privileges, logging all privileged actions, and requiring multi-factor authentication for admin access can significantly raise the cost and effort for attackers attempting to leverage VPN devices for persistent access.
The Ivanti incident underscores the importance of cross-vendor collaboration and information sharing in the security community. The defense-in-depth approach benefits from a combination of vendor advisories, public threat intelligence reports, and industry best practices. Organizations should establish connections with threat intelligence sources, participate in incident-sharing communities, and update security controls to reflect new indicators of compromise and evolving attacker TTPs. The incident also highlights that the threat landscape is dynamic, with attackers adapting to defensive measures and continuously seeking new avenues for exploitation, persistence, and data exfiltration. In this context, ongoing vigilance, proactive threat hunting, and rigorous incident response planning remain essential to maintaining a secure VPN-enabled perimeter.
In summary, organizations that rely on Ivanti’s VPN products should treat this campaign as a reminder that VPN security is not static. Patches, while essential, are only one piece of a broader strategy that must include comprehensive monitoring, robust integrity checks validated by multiple controls, secure upgrade practices, and a culture of proactive defense. The attackers’ multi-faceted approach—combining covert access, deception in upgrade flows, integrity-check evasion, persistence across upgrades, and data exfiltration—illustrates the evolving complexity of modern cyber threats and the need for a resilient, defense-in-depth posture to protect critical remote-access infrastructure.
Conclusion
Ivanti Connect Secure VPNs and related Ivanti security gateways are the subject of a highly resource-backed, targeted intrusion campaign that leverages a critical vulnerability to seize control of affected devices. The CVE-2025-0282 flaw enabled remote code execution without authentication, prompting Ivanti to release a patch that upgrades Connect Secure devices to version 22.7R2.5. Security researchers have observed active exploitation in the wild since mid-December, before the zero-day disclosure, indicating a well-planned operation that deployed new malware families DRYHOOK and PHASEJAM on compromised devices. PHASEJAM features a sophisticated Bash-based payload that installs a web shell for remote control and injects a function into the update flow to simulate an upgrade, masking malicious activity. The attackers also deployed SPAWNANT to disable the integrity-check tool, replacing SHA-256 hashes to create convincing, three-step screens that misrepresent the actual integrity status of the system, followed by a genuine ten-step verification.
SpawnAnt and its associated components can persist across system upgrades by hijacking the upgrade process via a modified dspkginstall flow, exporting a malicious snprintf function to enact persistence. The attackers also recalculate hashes for modified files and generate a new RSA key pair to sign a modified manifest, thus extending their foothold by ensuring that the upgrade process appears legitimate to verification tools. The ultimate objective appears to be the collection of sensitive data—VPN sessions, session cookies, API keys, certificates, and credentials—and attribution points to two China-nexus groups, UNC5337 and UNC5221 (the latter being a subgroup of the former). These actors are suspected of targeting organizations with high-value assets and sensitive data, underscoring the broader geopolitical dimension of the campaign.
Given the severity and sophistication of this operation, organizations using Ivanti VPNs should prioritize patch deployment, rigorous post-patch validation, and multi-layered monitoring to detect post-exploitation activity. Administrators should exercise caution when interpreting ICT results and may need to complement these checks with additional security monitoring and forensic analysis. If a compromise is detected, a factory reset of affected devices is recommended, but organizations should also consider a broader remediation strategy that includes device reimaging, firmware integrity verification, secure upgrade practices, and enhanced monitoring of VPN sessions and credential usage. The incident also reinforces the value of cross-vendor threat intelligence and proactive defense measures in safeguarding remote-access infrastructure, which remains a high-value target for sophisticated threat groups.
In short, the Ivanti VPN attack underscores the evolving threat landscape facing enterprise networks. Patches are essential but insufficient on their own; comprehensive, defense-in-depth strategies that combine patch management, integrity verification through multiple controls, secure upgrade processes, and proactive threat hunting are required to detect, contain, and eradicate advanced, post-exploitation activity. Organizations should take this incident as a catalyst for strengthening VPN security, improving incident readiness, and implementing robust controls to prevent similar intrusions in the future.