Full Report
Cybersecurity researchers are warning about a new malware called DslogdRAT that's installed following the exploitation of a now-patched security flaw in Ivanti Connect Secure (ICS). The malware, along with a web shell, were "installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024," JPCERT/CC researcher Yuma
Analysis Summary
# Incident Report: DslogdRAT Malware Deployment via Ivanti ICS Zero-Day
## Executive Summary
Multiple organizations in Japan were targeted around December 2024 by cyber espionage activity exploiting a zero-day vulnerability, CVE-2025-0282, in Ivanti Connect Secure (ICS) appliances. The exploitation provided initial access, leading to the deployment of a web shell followed by the advanced remote access trojan, DslogdRAT, indicating a significant compromise of network perimeters. Response activities included the patching of the vulnerability by Ivanti in early January 2025 and ongoing joint analysis by JPCERT/CC and CISA regarding related exploitation patterns.
## Incident Details
- **Discovery Date:** April 2025 (Reported by JPCERT/CC)
- **Incident Date:** Around December 2024
- **Affected Organization:** Organizations in Japan
- **Sector:** Unspecified (Targeting ICS/VPN infrastructure suggests critical infrastructure or IT services)
- **Geography:** Japan
## Timeline of Events
### Initial Access
- **Date/Time:** Around December 2024
- **Vector:** Exploitation of Ivanti Connect Secure (ICS) zero-day vulnerability, CVE-2025-0282.
- **Details:** This flaw allowed unauthenticated remote code execution.
### Lateral Movement
- **Details:** After initial exploit, a Perl web shell was deployed, which acted as a conduit to deploy further payloads, including DslogdRAT.
### Data Exfiltration/Impact
- **Details:** DslogdRAT initiated socket connections to external command-and-control servers to exfiltrate basic system information and receive instructions for executing shell commands, file upload/download, and proxy usage.
### Detection & Response
- **Detection:** JPCERT/CC researcher Yuma Masubuchi reported on the activity in April 2025.
- **Response Actions:** Ivanti addressed CVE-2025-0282 in early January 2025 by issuing a patch. JPCERT/CC and CISA are actively analyzing the ongoing exploitation trends.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2025-0282 (Unauthenticated Remote Code Execution on Ivanti ICS).
- **Persistence:** Deployment of a sophisticated Perl web shell followed by the DslogdRAT malware.
- **Privilege Escalation:** Not explicitly detailed, but necessary to deploy subsequent stages.
- **Defense Evasion:** Use of a zero-day vulnerability minimized initial detection efforts.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** DslogdRAT initiated basic system information collection.
- **Lateral Movement:** Web shell used as a conduit for deploying secondary payloads.
- **Collection:** Gathering basic system information and awaiting instructions for file staging.
- **Exfiltration:** Communication via socket connection to C2 servers for data transfer and command reception.
- **Impact:** Establishment of persistent backdoor (DslogdRAT) for remote control and potential data theft.
## Impact Assessment
- **Financial:** Not available.
- **Data Breach:** Basic system information was communicated to C2; capabilities existed for file upload/download, suggesting potential for broader data theft.
- **Operational:** Compromise of perimeter security devices (ICS appliances).
- **Reputational:** Potential impact due to public disclosure of a successful zero-day exploitation campaign.
## Indicators of Compromise
- **Network indicators:** C2 communication via socket connection (specific IP/domains not provided, use patterns like *[C2_IP_OR_DOMAIN]*).
- **File indicators:** DslogdRAT malware, Perl web shell payload.
- **Behavioral indicators:** Suspicious outbound socket connections initiated by compromised Ivanti ICS appliances; system commands executed via web shell interface.
## Response Actions
- **Containment measures:** Immediate patching of CVE-2025-0282 when advisory was released (January 2025). Isolation or replacement of vulnerable Ivanti ICS appliances confirmed to have been exploited.
- **Eradication steps:** Removal of the Perl web shell and DslogdRAT from affected systems.
- **Recovery actions:** Post-incident forensic analysis to determine the full scope of commands executed and data accessed via the RAT. Patch deployment across the environment.
## Lessons Learned
- The swift exploit of Ivanti ICS vulnerabilities highlights the critical risk associated with internet-facing management appliances.
- The use of zero-day CVE-2025-0282 for establishing initial access demonstrates sophisticated threat actor capability targeting widely used security solutions.
- The attack chained several components (vulnerability -> web shell -> RAT) to ensure persistence and functionality.
## Recommendations
- Immediately verify patching status for all Ivanti Connect Secure appliances against CVE-2025-0282 and related vulnerabilities.
- Implement strict network segmentation to limit the impact of perimeter device compromise, preventing immediate lateral movement.
- Enhance external monitoring/logging on ICS devices to detect unusual file creation (e.g., Perl scripts) or unexpected outbound socket connections.
- Review historical logs for signs of C2 communication post-January 2025, as threat actors often maintain access even after patches are released.