China-nexus APT exploits Ivanti Connect Secure VPN vulnerability to infiltrate multiple entities

In late March, TeamT5 detected that the China-nexus APT group exploited the critical vulnerability in Ivanti Connect Secure VPN appliances to infiltrate multiple entities around the globe. The victims include nearly twenty different industries across twelve countries. We believe that the actor still maintained control over the victim's network at the time of analysis.

The victim countries include Austria, Australia, France, Spain, Japan, South Korea, Netherlands, Singapore, Taiwan, the United Arab Emirates, the United Kingdom, and the United States. The targeted industries include Automotive, Chemical, Conglomerate, Construction, Information Security, Education, Electronics, Financial Institution, Gambling, Government, Intergovernmental Organizations (IGO), Information Technology, Law Firm, Manufacturing, Materials, Media, Non-Governmental Organizations (NGOs), Research Institute, Telecommunication.

Our analysis assessed with high confidence that the actor was exploiting the vulnerabilities of Ivanti Connect Secure VPN appliances to launch attacks around the globe. The actor possibly exploited CVE-2025-0282[1] or CVE-2025-22457[2] to conduct initial access.

Both CVE-2025-0282 and CVE-2025-22457 are stack buffer overflow vulnerabilities in Ivanti Connect Secure VPN with a CVSS score of 9.0. Successful exploitation allows the threat actor to achieve remote code execution, leading to intrusion of the internal network and malware implantation.

In the attack, the actor deployed a shared weapon among Chinese threat groups, SPAWNCHIMERA. SPAWNCHIMERA is developed specifically for Ivanti Connect Secure VPN and has all the functionalities of the notorious SPAWN family, including SPAWNANT (installer), SPAWNMOLE (socks5 tunnler), SPAWNSNAIL (SSH backdoor), and SPAWNSLOTH (log wiper).

Moreover, our analysis suggests that other threat actors might also obtain the vulnerability information and start campaigns targeting Ivanti VPN appliances. We have observed massive exploitation attempts against Ivanti VPN appliances since April. Although most exploitation attempts failed, many Ivanti VPN appliances became paralyzed and unstable.

TeamT5 strongly recommends that affected organizations conduct a thorough incident investigation. Given the versatile TTPs of the actor, such as multi-layers of C2 infrastructure, evasion of monitor mechanism, and the usage of log wiper, without additional technical support, it would be a challenge to detect the actor’s malicious traces inside the network.

Contact us for assistance - https://teamt5.org/en/contact-us/.

[1] CVE-2025-0282

[2] CVE-2025-22457