Ivanti VPNs are under a highly resourced, ongoing campaign by skilled threat actors exploiting a critical vulnerability that grants full control over network-connected devices. The vulnerability, CVE-2025-0282, affects Ivanti’s Connect Secure VPN and related policy gateways, and a patch was released simultaneously with warnings that active exploitation was underway against some customers. The attackers leveraged this access to deploy two previously unseen malware families, DRYHOOK and PHASEJAM, on compromised devices, creating a dangerous foothold that enables remote control, persistence, and information theft. This evolving campaign has prompted significant attention from researchers and defenders, who warn that the combination of a zero-day and sophisticated post-exploitation tools raises the stakes for organizations relying on Ivanti’s VPN solutions for remote access and perimeter security.
Context and Vulnerability Landscape
The emergence of CVE-2025-0282 marks a critical moment in the cybersecurity landscape for enterprise VPN deployments. Ivanti disclosed the vulnerability, describing it as a flaw that allows attackers to execute malicious code without requiring authentication. In practical terms, this means an adversary with network access to a compromised device can take control of that device at the system level, enabling data exfiltration, credential theft, and further lateral movement within a protected network. The impact is especially pronounced for organizations that rely on Connect Secure for remote access, as well as for policy-secure gateways and Zero Trust Architecture (ZTA) components that are designed to enforce access policies and protect sensitive segments of an enterprise environment.
Ivanti’s patch—updating Connect Secure devices to version 22.7R2.5—was issued in tandem with the vulnerability disclosure. The patch aims to close the exploitation vector by hardening the affected components and preventing the remote execution of code by unauthenticated actors. Yet the existence of the bug had already triggered a period of active exploitation, with attackers surveying and compromising multiple Ivanti Connect Secure appliances since mid-December, according to comprehensive assessments by Mandiant, a Google-owned security firm well known for its in-depth incident response and malware intelligence.
The strategic significance of this campaign stems from several converging factors: first, the vulnerability’s ability to be exploited without authentication, creating a rapid, scalable attack surface; second, the attackers’ deployment of two novel malware families that exhibit both initial access and extended post-exploitation capabilities; and third, the attackers’ focus on maintaining stealth and persistence across device reboots and system upgrades. The attackers’ endgame appears focused on data collection and credential access rather than purely disruptive objectives, with implications for VPN sessions, API keys, certificates, and other sensitive material stored or accessible from compromised devices.
Malicious Tools and Capabilities
Two primary malware families emerged from the initial exploitation stage: DRYHOOK and PHASEJAM. These tools were observed on several compromised Ivanti Connect Secure devices, signaling a multi-stage attack that goes beyond a simple backdoor. The infection chain begins with the installation of a web shell-like component that provides the attackers with privileged, ongoing control over the infected device. This initial foothold establishes the attacker’s ability to command and control the system with elevated privileges, enabling stealthy manipulation of the device’s operating environment.
PHASEJAM stands out as a well-written and multifaceted bash shell script. Its primary functions include co-opting the device’s update mechanism to create a deceptive upgrade experience, while also introducing a remote-control web shell. A key described capability is the injection of a malicious function into Ivanti Connect Secure’s update flow—specifically targeting the DSUpgrade.pm module located in the /home/perl directory. This injected function, named processUpgradeDisplay(), is designed to simulate an upgrade sequence that the ICS administrator believes is authentic. The script presents a 13-step upgrade process, precisely timing each step and displaying a sequence of dots to convey progress. The result is a convincing user-facing experience that masks the true intent of the attack: the existence of a malicious upgrade alongside real upgrade activity.
This deception serves a dual purpose. First, it gives attackers legitimacy in the eyes of administrators who observe maintenance windows and upgrade events. Second, it creates a reliable mechanism to enable post-exploitation activities during what appears to be routine operational maintenance. The PHASEJAM toolkit also includes the ability to inject the function into the legitimate update flow, thereby hiding malicious actions within a familiar process. The overall effect is to facilitate covert persistence and reduce the likelihood that administrators will scrutinize upgrade screens for anomalies.
In addition to PHASEJAM, attackers continued to leverage a previously identified malware component known as SPAWNANT on compromised devices. SPAWNANT has a crucial function: it disables Ivanti’s recent integrity checker tool (ICT), which Ivanti ships to assistants and administrators for surface-level detection of unauthorized changes to device files. The mechanism by which SPAWNANT achieves this is by substituting the expected SHA-256 hash of a core file with the hash of the infected variant. As a result, when the ICT runs, the tool presents a screen that appears to show the integrity check passing, listing three steps. This is a deliberate misdirection, as the genuine ICT screen would display ten steps. The visual discrepancy is intended to mislead administrators, creating a false sense of security while the malware remains active on the device.
Researchers noted that the borderline between legitimate software and malicious manipulation is being exploited by the attackers through SPAWNANT’s technique of modifying file hashes. The technique effectively fools the integrity checker, allowing the compromised system to continue operating under a façade of regularity. The end result is that administrators may be misled into believing integrity checks have succeeded, while in reality, post-exploitation activity and stealth persistence persist. The relationship between SPAWNANT and the ICS upgrade flow is particularly notable: the attackers leverage the existing upgrade workflow to ensure the malware persists even as the system undergoes updates, thereby maintaining a stable foothold across upgrade cycles.
Integrity checks, while useful, are not a silver bullet. Ivanti has asserted that the ICT provides a snapshot of the appliance’s current state and cannot necessarily detect actor activity if a device has been returned to a clean state. The company has further cautioned that the ICT does not scan for malware or other indicators of compromise (IOCs). Consequently, Ivanti recommends that customers run the ICT in conjunction with other security monitoring tools to detect post-exploitation activity. This layered approach to defense is essential when dealing with sophisticated post-exploitation actors who seek to blend malicious behavior into routine maintenance workflows.
The attackers also pursued a series of cleanup and anti-forensic measures designed to erase traces of compromise and hinder retrospective analysis. After exploiting the vulnerability, they cleared kernel messages via the dmesg utility and removed entries from debug logs associated with the exploitation process. They deleted troubleshooting information packages, state dumps, and core dumps created during process crashes. They also erased log application event log entries related to syslog failures, internal ICT failures, crash traces, and certificate handling errors, and they removed executed commands from the SELinux audit log. Taken together, these steps reflect a comprehensive approach to evading detection and hindering post-incident investigations.
Persistence beyond a single upgrade is another hallmark of the SPAWNANT approach. The attacker’s malware manipulates the upgrade workflow by hijacking the dspkginstall binary, a system utility used during upgrades. By exporting a malicious snprintf function that contains a persistence mechanism, SPAWNANT ensures that it is copied to the new upgrade partition, surviving system updates. In addition, the malware intercepts and circumvents the integrity checks by recalculating the SHA-256 hash for any modified files, thereby maintaining the believability of the integrity checker’s results. The attackers also generate a new RSA key pair to sign the modified upgrade manifest, a technique designed to maintain the chain of trust while inserting malicious components into the upgrade process. These persistence and evasion capabilities demonstrate a high level of operational sophistication aimed at long-term stealth.
Data theft targets and objectives
The overarching objective of the attacks is to collect sensitive data from compromised devices and the network environment they connect to. Mandiant’s assessment highlights the potential for exfiltration of a range of critical assets, including VPN sessions, session cookies, API keys, certificates, and credential material. The attackers’ access to this kind of data can provide ongoing, authenticated access to protected resources, facilitate lateral movement, and enable broader espionage or targeted data collection campaigns. The nature of the data targeted aligns with typical espionage goals: access tokens and credentials enable continued access even if some controls are restored or devices are partially cleaned.
Attribution, actor intent, and industry risk
Mandiant has attributed the campaigns to two unknown groups, designated UNC5337 and UNC5221. The analysis suggests that UNC5221 is a subgroup of UNC5337, and both groups are linked to China-nexus espionage activity. The attribution to state-aligned or state-sponsored actors is a hallmark of high-resource campaigns that emphasize stealth, persistence, and data exfiltration across multiple devices and environments. The China-nexus label suggests geopolitical motivation and a broader strategic objective to harvest intelligence across sectors relying on Ivanti VPN solutions for remote access.
Given the attribution and the attacker’s toolset, organizations should treat Connect Secure VPN deployments as critical assets in need of heightened vigilance. The scope of potential impact includes sensitive network credentials, API keys, TLS certificates, and cookies that facilitate VPN session continuity. In practice, any organization using Ivanti Connect Secure or related policy gateways should assume a persistent, multi-staged compromise is possible if the patch is not yet applied or if monitoring gaps exist. The recommended posture is to prioritize detection and containment, with a readiness to coordinate with incident response teams and vendors to ensure comprehensive remediation and rapid recovery.
Defensive signals, detection guidance, and remediation
Defenders face a challenging task due to the attackers’ emphasis on stealth, misdirection, and persistence. The first line of defense, patching, remains essential. Ivanti’s 22.7R2.5 update for Connect Secure devices represents a critical fix, and any organization with vulnerable appliances should apply it promptly. However, patching alone does not guarantee eradication of all traces of compromise, especially when attackers have installed web shells, manipulated update processes, and created long-lived persistence mechanisms.
Security teams should implement a layered defense approach that combines preventive controls, detection, and post-exploitation monitoring. Key steps include:
- Confirm patch deployment on all affected devices and verify that the upgrade path was completed without manipulation. Validate that the updated code paths no longer accept unauthenticated execution and that the save-state and update semantics align with the expected upgrade flow.
- Run the Ivanti ICT in conjunction with external security monitoring tools to detect anomalies associated with post-exploitation activity. Remain aware that ICT has limitations and should be complemented by other telemetry sources, including endpoint detection and response (EDR), network traffic analysis, and log correlation across the environment.
- Monitor for signs of manipulation of upgrade processes, including unexpected changes to scripts in /home/perl/DSUpgrade.pm and unusual function injections into the update path. Investigate any upgrade-related warnings or anomalies seen during routine maintenance windows.
- Look for indicators of the anti-forensic techniques employed by SPAWNANT, such as unusual kernel log activity, unexpected gaps in dmesg output, missing or altered debug log entries, and evidence of log cleansing around syslog failures or certificate handling errors.
- Audit and corroborate logs for commands that relate to upgrade workflows, the dspkginstall binary, and any modifications to hash calculations or RSA key management routines. Confirm the integrity of core binaries, and re-verify cryptographic signatures of legitimate upgrade packages.
- Examine VPN session data, API keys, certificates, and credential material for signs of exfiltration or anomalous usage. If any suspicious access patterns or credential leaks are detected, escalate to incident response for containment and credential rotation.
- Reset devices if infections are detected with credible evidence of compromise or if the toolchain indicates active exfiltration. Ivanti’s guidance includes performing a factory reset to ensure a clean slate after confirming the presence of compromise and ensuring system integrity.
Beyond direct remediation, organizations should adopt broader risk-management practices. Network segmentation and least-privilege policies for remote access reduce the blast radius of any future compromise. Regular, automated vulnerability scanning and inventory management help ensure that all Connect Secure appliances receive timely updates. Security teams should align detection strategies with a multi-horizon approach that includes proactive threat hunting, signature-based and behavior-based detection, and anomaly detection for upgrade flows, log integrity, and script modification indicators.
Operational risk considerations for the industry
The Ivanti VPN vulnerability and accompanying post-exploitation toolkit highlight several important considerations for industrial and enterprise security operations. The combination of a critical unauthenticated remote code execution vulnerability, sophisticated post-exploitation tooling, and the ability to persist across system upgrades creates an elevated risk profile for organizations that depend on VPN-based remote access. The threat actors’ apparent focus on espionage and data collection underscores the strategic importance of protecting sensitive credentials, session tokens, and digital certificates.
In sectors with heavy use of remote access, including manufacturing, energy, healthcare, finance, and critical infrastructure, the risk posture is heightened. The exposure of VPN credentials and API keys can enable unauthorized access to internal resources, compromising not only individual devices but also broader networks and operational technology (OT) environments. The potential for exfiltration of VPN sessions and related credentials is particularly concerning in environments where remote connections are abundant and where dashboards, administrative consoles, and APIs are accessible from gateway devices.
Organizations should prioritize monitoring for indicators of compromise that reflect the described attack sequence, including anomalous upgrade behavior, modifications to the DSUpgrade.pm upgrade display logic, unexpected web shells, and suspicious activity around the Ivanti ICT. It is crucial to maintain an up-to-date asset inventory, enforce strict change control for upgrade workflows, and ensure that any automated processes that touch the update pathway are validated and auditable.
Technical deep-dive: attack chain, artifacts, and defense gaps
A detailed understanding of the attack chain helps defenders identify potential ingress points and weak points in the defense-in-depth strategy. The chain begins with the exploitation of CVE-2025-0282, enabling unauthenticated remote code execution on vulnerable devices. Once footholds are established, attackers deploy PHASEJAM to inject malicious logic into the upgrade process and to establish a persistent, privileged web shell for remote control. The process upgrade deception, with the 13-step display and dot-sequenced progress, is a notable example of user-interface deception designed to integrate malware activity into expected maintenance events.
The SPAWNANT component contributes to the attackers’ stealth and persistence by undermining the integrity-checking process. By falsifying the ICT results, the attackers create a false sense of security while continuing to operate with malicious artifacts on the device. The defense gap here is twofold: first, an overreliance on a single integrity-check tool without corroborating evidence from other telemetry sources can create blind spots; second, the ability to persist across upgrades means that new, clean installations could still harbor residual malware if the remediation steps are not comprehensive.
Defenders should examine both endpoint-based indicators and network-based indicators. On endpoints, suspicious changes to key files in /home/perl, the presence of a web shell with elevated privileges, and anomalies in upgrade logic are important signals. On the network side, watch for unusual upgrade-related traffic patterns, unexpected outbound connections corollary to the compromised device’s control channel, and abnormal data flows that correspond to exfiltration behavior. A robust defense requires a combination of patching, rigorous monitoring, and thorough incident response playbooks that align with the full attack sequence from initial exploitation to data exfiltration.
Impact assessment and organization-wide implications
The ongoing Ivanti VPNs campaign holds significant implications for organizations that rely on remote access to critical resources. The ability to compromise VPN devices and harvest sensitive materials—such as VPN sessions and credentials—presents a real risk to both enterprise security and operational continuity. The threat actors’ emphasis on persistence across upgrades means that even legitimate maintenance cycles may not remove the threat, underscoring the importance of comprehensive remediation and verification after any patch deployment.
From a governance and policy perspective, the incident reinforces the need for robust patch management programs that can rapidly respond to critical vulnerabilities. It also emphasizes the importance of multi-layered security monitoring that integrates endpoint detection, application-level telemetry, and network analytics. Organizations should consider strengthening supply chain risk management around VPN vendors, conducting regular tabletop exercises that incorporate firmware and software update workflows, and ensuring that incident response teams are prepared to address complex post-exploitation scenarios that cross device, network, and application boundaries.
Influence on best practices and future security posture
In the wake of this campaign, security professionals are likely to reassess best practices around remote-access security, upgrade integrity, and post-exploitation detection. The convergence of authentic-looking upgrade experiences with malicious code execution demonstrates how attackers can exploit user trust and routine maintenance routines to normalize malicious activity. The lessons are clear: never assume that a maintenance window is risk-free, and always validate that upgrade processes align with the legitimate vendor’s published behavior. In addition, reliance on a single defensive control, such as ICT alone, should be avoided in favor of a layered approach that combines integrity checks with comprehensive telemetry, anomaly detection, and independent verification processes.
Conclusion
The ongoing campaign against Ivanti Connect Secure VPN devices demonstrates how a critical vulnerability can be exploited through sophisticated, multi-stage malware that blends deception, persistence, and data theft. The combined use of DRYHOOK, PHASEJAM, and SPAWNANT shows that threat actors are prepared to exploit every facet of a security workflow—from update mechanisms and integrity checks to log handling and system upgrades—to achieve long-term access and data exfiltration. The attribution to two China-nexus groups underscores the geopolitical dimension of modern cybersecurity threats, especially in environments where remote access is essential to operations.
For organizations affected by or potentially exposed to CVE-2025-0282, the path forward is clear: apply the patch (22.7R2.5) promptly; implement layered security monitoring that combines Ivanti’s ICT with broader telemetry; investigate upgrade processes for signs of manipulation; be vigilant for anti-forensic activity such as log cleansing and hash manipulation; and prepare for rapid containment, factory resets when necessary, and credential rotation to mitigate data exposure. The incident also reinforces the importance of governance and risk management around VPN deployments, including robust patch programs, proactive threat hunting, network segmentation, and enterprise-wide incident response readiness.
In this evolving threat landscape, defenders must remain vigilant, informed, and prepared to adapt to new techniques as threat actors continue to refine their tools and tactics. The Ivanti VPNs incident is a stark reminder that the most dangerous breaches often begin with a vulnerability, proceed through targeted exploitation and persistence, and culminate in strategic data access that can reshape an organization’s risk posture for years to come.