Full Report
A new wave of attacks targeting Ivanti Connect Secure VPN devices has revealed a stealthy malware strain known as DslogdRAT, deployed alongside a simple but effective Perl web shell. Security researchers at JPCERT/CC identified these infections during a forensic investigation into exploitation of CVE-2025-0282—a zero-day vulnerability abused in December 2024 attacks on Japanese organizations. DslogdRAT Initial Access via Lightweight Web Shell The attackers initially deployed a Perl-based CGI script as a web shell. By checking the value of a specific cookie, the script could run arbitrary commands when the cookie matched a hardcoded token. This barebones backdoor enabled remote command execution on compromised Ivanti devices and likely served as the launchpad for deploying DslogdRAT. Once launched, DslogdRAT establishes persistence through a multi-process design. The main process spawns a child and exits, while the first child enters a persistent loop and creates a second child tasked with command-and-control (C2) communication. This core process uses the pthread library to manage a dedicated thread for communicating with its remote C2 server. The communication routine includes retrieving configuration data, managing sockets, and handling commands received from the attacker. According to JPCERT/CC’s analysis, the C2 communications are XOR-encoded in 7-byte blocks, using keys from 0x01 to 0x07. Malware Configuration: Operating Hours and C2 Details The DslogdRAT binary contains hardcoded and XOR-encoded configuration data. After decoding, researchers found settings tailored for evasion and operational control. For example, the malware is programmed to activate only between 8:00 AM and 2:00 PM—likely to blend in with normal business activity and evade anomaly detection tools. Key configuration details include: C2 server IP: 3.112.192[.]119 Port: 443 Command shell: /bin/sh Proxy setup: 127.0.0.1, user: admin, password: admin Thread and file references: /home/bin/dslogd, [kworker/0:02] The design shows clear intent to avoid detection and maintain a foothold while operating within seemingly normal traffic windows. Capabilities: From Shell Execution to Full Proxy Support DslogdRAT can handle a wide range of functions. These include uploading and downloading files, executing shell commands, and serving as a proxy tunnel—effectively allowing lateral movement or data exfiltration via other compromised assets. Supported command values include: File transfers: 0x4, 0x8, 0xA Shell operations: 0xC to 0xE Proxy services: 0x13 to 0x18 Forwarding and redirection: 0x28, 0x29 During initial C2 contact, the malware sends a system fingerprint using a structured packet that includes encoded host information, designed for parsing by the operator’s server-side tooling. Overlap with SPAWNSNARE Malware Researchers also observed the SPAWNSNARE backdoor on the same compromised systems. This malware, linked to Chinese threat actor UNC5221, had previously been disclosed by both Google and CISA in April 2025. While no direct attribution links DslogdRAT to the same actor, the concurrent presence of both malware strains suggests possible coordination or toolset sharing. Also read: CISA Details New Malware Used in Ivanti Attacks Security Advisory and Outlook Japan’s JPCERT/CC and U.S. CISA have issued alerts about the vulnerabilities affecting Ivanti Connect Secure, particularly CVE-2025-22457. These incidents are part of a broader wave of state-aligned cyber activity targeting edge devices and VPN appliances—favored targets due to their position in network perimeters and often-lax patching cycles. Organizations using Ivanti Connect Secure are urged to apply available patches immediately, conduct forensic reviews of their appliances, and monitor for known indicators of compromise (IoCs), including: Malware hash: 1dd64c00f061425d484dd67b359ad99df533aa430632c55fa7e7617b55dab6a8 Web shell path: /home/webserver/htdocs/dana-na/cc/ccupdate.cgi C2 IP: 3.112.192[.]119 The DslogdRAT intrusion reveals a layered and disciplined intrusion strategy exploiting zero-day flaws in Ivanti systems. With distinct operating windows, encoded communications, and modular capabilities, the malware reflects an ongoing evolution in stealth-focused, post-exploitation tooling. As exploitation of Ivanti vulnerabilities continues, defenders must prioritize threat hunting and network segmentation to limit potential lateral movement.
Analysis Summary
# Tool/Technique: DslogdRAT
## Overview
DslogdRAT is a malware family utilized in campaigns targeting Ivanti Connect Secure devices, exploiting zero-day vulnerabilities. It is part of a layered and disciplined intrusion strategy suggesting a focus on stealth post-exploitation activities after gaining initial access via the compromised edge device.
## Technical Details
- Type: Malware family (RAT)
- Platform: Ivanti Connect Secure appliances (Implied Linux/Appliance OS)
- Capabilities: Remote access, command execution, communications obfuscation/encoding, modular operations.
- First Seen: Article references analysis and alerts from April 2025.
## MITRE ATT&CK Mapping
*Note: Direct mapping is inferred based on the context of exploiting VPN gateways and establishing persistence post-exploitation.*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Network Service Sources (Implied, due to deployment on network appliance)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
## Functionality
### Core Capabilities
- **Initial Access:** Deployed following the exploitation of zero-day vulnerabilities in Ivanti Connect Secure appliances (specifically referencing CVE-2025-22457).
- **Command Execution:** Provides remote access capabilities typical of a Remote Access Trojan (RAT).
- **Encoded Communications:** Utilizes encoded communications to maintain stealth.
### Advanced Features
- **Modular Capabilities:** The malware features a modular design, suggesting adaptability for different post-exploitation tasks.
- **Stealth Focus:** Reflects an ongoing evolution in stealth-focused, post-exploitation tooling.
## Indicators of Compromise
- File Hashes: SHA256: `1dd64c00f061425d484dd67b359ad99df533aa430632c55fa7e7617b55dab6a8`
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: C2 IP: `3[.]112[.]192[.]119` (Defanged)
- Behavioral Indicators: Presence of the payload at the web shell path: `/home/webserver/htdocs/dana-na/cc/ccupdate.cgi`
## Associated Threat Actors
- The article notes that while DslogdRAT was deployed concurrently with other malware strains in Ivanti attacks, *no direct attribution links DslogdRAT to the same actor*. The activity is broadly associated with state-aligned cyber activity targeting edge devices.
## Detection Methods
- Signature-based detection: Via the provided malware hash.
- Behavioral detection: Monitoring suspicious process activity on Ivanti appliances or unexpected file creation in web server directories.
- YARA rules: Not explicitly provided.
## Mitigation Strategies
- Priority patches for Ivanti Connect Secure appliances immediately to address vulnerabilities like CVE-2025-22457.
- Conduct forensic reviews of affected appliances.
- Monitor networks for known Indicators of Compromise (IoCs).
- Implement threat hunting focused on perimeter devices.
- Prioritize network segmentation to limit lateral movement potential.
## Related Tools/Techniques
- Other malware strains potentially observed in tandem with DslogdRAT during the Ivanti exploitation campaigns (though not named specifically in the provided snippet).
- Exploitation techniques targeting edge devices and VPN appliances.