China-Nexus APT Exploits Ivanti Connect Secure VPN in Global Cyber Espionage Campaign

A recent report by TeamT5 has uncovered a widespread cyber espionage campaign targeting Ivanti Connect Secure VPN appliances. The report details how a China-nexus Advanced Persistent Threat (APT) group infiltrated numerous entities across the globe by exploiting critical vulnerabilities in these VPNs.

The scope of this campaign is extensive, with victims spanning twelve countries, including Austria, Australia, France, Spain, Japan, South Korea, and the United States. The attackers cast a wide net, targeting nearly twenty different industries. Victims include organizations in sectors such as Automotive, Chemical, Government, Financial Institutions, and Telecommunications.

TeamT5’s analysis indicates “with high confidence that the actor was exploiting the vulnerabilities of Ivanti Connect Secure VPN appliances to launch attacks around the globe“. The report suggests that the threat actor likely gained initial access by exploiting CVE-2025-0282 or CVE-2025-22457. Both of these CVEs are critical stack buffer overflow vulnerabilities in Ivanti Connect Secure VPNs, with a CVSS score of 9.0. Successful exploitation of these vulnerabilities allows attackers to achieve remote code execution, enabling them to intrude on internal networks and implant malware.

CVE-2025-0282 is described as a critical stack-based buffer overflow flaw affecting several Ivanti products. Notably, cybersecurity firm Mandiant (now part of Google Cloud) reported that attackers began leveraging this vulnerability as early as mid-December, deploying the custom Spawn malware toolkit. This malicious framework, known to be associated with a suspected China-linked espionage group tracked as UNC5337, is likely part of a larger cluster tracked as UNC5221.

Similarly, CVE-2025-22457 is also attributed to a stack-based buffer overflow weakness. This vulnerability impacts a range of Ivanti products, including Pulse Connect Secure 9.1x and Ivanti Connect Secure 22.7R2.5 and earlier. Ivanti’s advisory notes that remote threat actors could exploit it in high-complexity attacks that don’t require authentication or user interaction. Ivanti released a patch for this vulnerability on February 11, 2025.

TeamT5 reports that the threat actor used SPAWNCHIMERA, a malware toolkit developed specifically for Ivanti VPN appliances. It includes multiple modules with diverse capabilities:

• SPAWNANT: Installer
• SPAWNMOLE: SOCKS5 tunneler
• SPAWNSNAIL: SSH backdoor
• SPAWNSLOTH: Log wiper

The malware appears tied to UNC5337, a China-linked espionage group previously observed by Mandiant, and is likely part of a broader threat cluster tracked as UNC5221.

Since April 2025, TeamT5 has observed massive exploitation attempts, many of which have destabilized vulnerable VPN appliances—even when exploitation was unsuccessful.

“Although most exploitation attempts failed, many Ivanti VPN appliances became paralyzed and unstable,” TeamT5 warns. This suggests that multiple threat actors—not just the original APT—may now have access to vulnerability details and are actively attempting breaches.

TeamT5’s analysis suggests the possibility of other threat actors obtaining the vulnerability information and launching their own campaigns. The report emphasizes the challenges of detecting the actor’s malicious traces within a network due to their versatile tactics, including multi-layered C2 infrastructure, evasion of monitoring mechanisms, and the use of log wipers. TeamT5 “strongly recommends that affected organizations conduct a thorough incident investigation” to fully uncover any malicious activity.

Related Posts:

• Ivanti Connect Secure, Policy Secure and Secure Access Client Affected by Critical Vulnerabilities
• IcePeony – A New China-Nexus APT Group Targeting Asian Nations
• LIMINAL PANDA – A Chinese State-Sponsored Espionage Targeting Telecoms
• China-Nexus Espionage: ScatterBrain Obfuscation Tactics Revealed
• Critical Vulnerabilities & Major Cyberattacks: April 7-13 Recap