A brand new wave of assaults focusing on Ivanti Join Safe VPN units has revealed a stealthy malware pressure often called DslogdRAT, deployed alongside a easy however efficient Perl internet shell.
Safety researchers at JPCERT/CC identified these infections throughout a forensic investigation into exploitation of CVE-2025-0282—a zero-day vulnerability abused in December 2024 assaults on Japanese organizations.
DslogdRAT Preliminary Entry by way of Light-weight Internet Shell
The attackers initially deployed a Perl-based CGI script as an online shell. By checking the worth of a particular cookie, the script may run arbitrary instructions when the cookie matched a hardcoded token. This barebones backdoor enabled distant command execution on compromised Ivanti units and sure served because the launchpad for deploying DslogdRAT.
As soon as launched, DslogdRAT establishes persistence by way of a multi-process design. The primary course of spawns a baby and exits, whereas the primary little one enters a persistent loop and creates a second little one tasked with command-and-control (C2) communication. This core course of makes use of the pthread library to handle a devoted thread for speaking with its distant C2 server.
The communication routine contains retrieving configuration data, managing sockets, and dealing with instructions acquired from the attacker. Based on JPCERT/CC’s evaluation, the C2 communications are XOR-encoded in 7-byte blocks, utilizing keys from 0x01 to 0x07.
Malware Configuration: Working Hours and C2 Particulars
The DslogdRAT binary incorporates hardcoded and XOR-encoded configuration information. After decoding, researchers discovered settings tailor-made for evasion and operational management. For instance, the malware is programmed to activate solely between 8:00 AM and a couple of:00 PM—more likely to mix in with regular enterprise exercise and evade anomaly detection instruments.
Key configuration details include:
- C2 server IP: 3.112.192[.]119
- Port: 443
- Command shell: /bin/sh
- Proxy setup: 127.0.0.1, user: admin, password: admin
- Thread and file references: /home/bin/dslogd, [kworker/0:02]
The design shows clear intent to avoid detection and maintain a foothold while operating within seemingly normal traffic windows.
Capabilities: From Shell Execution to Full Proxy Support
DslogdRAT can handle a wide range of functions. These include uploading and downloading files, executing shell commands, and serving as a proxy tunnel—effectively allowing lateral movement or information exfiltration by way of different compromised property.
Supported command values embrace:
- File transfers:
0x4,0x8,0xA - Shell operations:
0xCto0xE - Proxy companies:
0x13to0x18 - Forwarding and redirection:
0x28,0x29
Throughout preliminary C2 contact, the malware sends a system fingerprint utilizing a structured packet that features encoded host info, designed for parsing by the operator’s server-side tooling.
Overlap with SPAWNSNARE Malware
Researchers additionally noticed the SPAWNSNARE backdoor on the identical compromised techniques. This malware, linked to Chinese language risk actor UNC5221, had beforehand been disclosed by each Google and CISA in April 2025. Whereas no direct attribution hyperlinks DslogdRAT to the identical actor, the concurrent presence of each malware strains suggests attainable coordination or toolset sharing.
Additionally learn: CISA Details New Malware Used in Ivanti Attacks
Safety Advisory and Outlook
Japan’s JPCERT/CC and U.S. CISA have issued alerts in regards to the vulnerabilities affecting Ivanti Join Safe, significantly CVE-2025-22457. These incidents are a part of a broader wave of state-aligned cyber exercise focusing on edge units and VPN home equipment—favored targets resulting from their place in community perimeters and often-lax patching cycles.
Organizations utilizing Ivanti Join Safe are urged to use obtainable patches instantly, conduct forensic evaluations of their home equipment, and monitor for recognized indicators of compromise (IoCs), together with:
- Malware hash:
1dd64c00f061425d484dd67b359ad99df533aa430632c55fa7e7617b55dab6a8 - Internet shell path:
/house/webserver/htdocs/dana-na/cc/ccupdate.cgi - C2 IP:
3.112.192[.]119
The DslogdRAT intrusion reveals a layered and disciplined intrusion technique exploiting zero-day flaws in Ivanti techniques. With distinct working home windows, encoded communications, and modular capabilities, the malware displays an ongoing evolution in stealth-focused, post-exploitation tooling. As exploitation of Ivanti vulnerabilities continues, defenders should prioritize risk looking and community segmentation to restrict potential lateral motion.
Associated
Media Disclaimer: This report relies on inside and exterior analysis obtained by way of varied means. The data supplied is for reference functions solely, and customers bear full duty for his or her reliance on it. The Cyber Express assumes no legal responsibility for the accuracy or penalties of utilizing this info.
