Introduction
A Chinese Advanced Persistent Threat (APT) group [1] [2], identified as UNC5221 and linked to the Chinese government [1], has been exploiting critical vulnerabilities in Ivanti Connect Secure VPN appliances [1]. This exploitation has facilitated the deployment of sophisticated malware [1], leading to unauthorized access and significant data breaches across multiple industries and countries.
Description
A Chinese Advanced Persistent Threat (APT) Group [1] [2], identified as UNC5221 and linked to the Chinese government [1], has exploited critical vulnerabilities in Ivanti Connect Secure VPN appliances [1], specifically CVE-2025-0282 and CVE-2025-22457 [1], which are stack-based buffer overflow flaws with a maximum CVSS score of 9.0 [1]. This exploitation has enabled the deployment of the SPAWNCHIMERA malware suite [1], facilitating unauthenticated Remote Code Execution (RCE) and establishing covert network access [1].
The campaign, active since late March 2025 [1], has targeted organizations across 12 countries [1], including the UK [1] [2], US [1], Austria [1], Australia [1], France [1], Spain [1] [3], Japan [1], South Korea [1], the Netherlands [1], Singapore [1], Taiwan [1], and the UAE [1], affecting various industries such as government [1], finance [1], telecommunications [1], law [1], and intergovernmental organizations [1]. The attackers have maintained access to victim networks for weeks [1], exfiltrating sensitive data while employing multi-layered command-and-control infrastructure and log-wiping tools to evade detection [1]. Notably, the adversaries have demonstrated advanced lateral movement techniques [2], including SMB Named Pipe Creation and HTTPS Remote Process Manipulation [2], to navigate networks and deploy web shells on compromised servers [2].
In addition to SPAWNCHIMERA, a new malware variant named Resurge has emerged [3], exploiting the same critical stack buffer overflow vulnerability (CVE-2025-0282) in Ivanti’s Connect Secure [3], Policy Secure [3], and ZTA Gateway products [3]. Resurge exhibits similarities to the Spawn malware family [3], particularly SPAWNCHIMERA, and is capable of creating web shells [3], harvesting credentials [3], initiating password resets [3], and tampering with system logs [3]. It can also bypass Ivanti’s Integrity Checker Tool [3], complicating detection efforts. Organizations are advised to perform factory resets using known clean images to eliminate any malicious activity [3].
SPAWNCHIMERA includes components like SPAWNSLOTH [1], a log-wiping tool designed to erase forensic evidence [1]. The malware’s dynamic patching capability allows it to modify vulnerable Ivanti components in memory [1], ensuring continued exploitation even after patches are applied [1]. Despite patches released by Ivanti in February 2025 [1], many devices remain unpatched due to slow remediation efforts [1], leading to widespread service disruptions [1].
The sophistication of the SPAWNCHIMERA toolkit [1], which features UNIX socket communication and obfuscated payloads [1], underscores China’s increasing focus on cyber espionage against geopolitical rivals [1]. With over 1,700 devices compromised globally and exploitation attempts on the rise [1], the operational consequences of these attacks are expected to persist for years [1]. The campaign highlights the critical importance of proactive cybersecurity measures [1], particularly for unpatched network edge devices like VPN gateways [1], as the ongoing risks posed by Chinese-affiliated threat actors continue to evolve.
Conclusion
The ongoing campaign by UNC5221 highlights the severe implications of unpatched vulnerabilities in critical infrastructure. Organizations must prioritize timely patching and employ comprehensive cybersecurity strategies to mitigate these threats. The persistence and sophistication of these attacks underscore the need for continuous vigilance and adaptation to evolving cyber threats, particularly from state-affiliated actors. Proactive measures, including regular security audits and the use of clean system images, are essential to safeguard against future breaches and ensure the integrity of sensitive data.
References
[1] https://www.cybersecurityintelligence.com/blog/chinese-hackers-undertaking-a-global-infiltration-campaign-8377.html
[2] https://reliaquest.com/blog/threat-spotlight-the-data-chase-understanding-chinese-espionage-strategies/
[3] https://www.fortra.com/blog/bi-weekly-cyber-landscape-reviews-april-11th-2025
