From MDifyLoader to Fscan: JPCERT Uncovers Deep Exploitation of Ivanti VPN Flaws in Advanced Malware Campaign
Ddos 
The execution flow of Fscan | Image: JPCERT/CC
JPCERT/CC has released a detailed technical report shedding light on a sustained and sophisticated malware campaign leveraging vulnerabilities in Ivanti Connect Secure (CVE-2025-0282 and CVE-2025-22457). The report reveals how threat actors continue to exploit these flaws through a growing arsenal of malware and tools, including MDifyLoader, Cobalt Strike Beacon, vshell, and Fscan.
The campaign uses a legitimate file—often via scheduled tasks—to initiate MDifyLoader through DLL side-loading. Once executed, MDifyLoader decrypts an embedded payload using RC4, loads a Cobalt Strike Beacon into memory, and runs it stealthily.
The RC4 key is derived from the MD5 hash value of executable files, making this three-component method — executable, loader, and encrypted payload — particularly resistant to reverse engineering and analysis.
To further hinder detection, the loader is bloated with junk code, comprising meaningless function calls and relative memory references.
“This suggests that the attackers intended to hinder deobfuscations,” the report explained.
Unusually, the Beacon itself uses RC4 for decrypting its configuration, with the hardcoded key “google”, a departure from its default XOR method. The variant has been identified as Cobalt Strike v4.5, carrying the label “NewBeacon.dll”.
The attackers also deployed vshell, a Go-based remote access trojan (RAT) previously hosted on GitHub. Although the malware is multipurpose, JPCERT observed signs of internal testing residue.
“The used vshell has a function to check whether the system language is set to Chinese… the attackers repeatedly failed to execute vshell,” likely due to this feature being unintentionally left active during deployment.
In another vector, the attackers executed Fscan, an open-source network scanner, through a compromised version of python.exe paired with a malicious DLL (python311.dll). The DLL decodes and runs the scanner directly in memory using RC4 encryption with the hardcoded key “99999999”.
“The python311.dll was developed based on the open-source tool FilelessRemotePE,” which facilitates in-memory execution and ETW bypasses to evade endpoint detection solutions.
Once inside a target network, the attackers pivot using traditional and advanced techniques:
- Brute-force attacks against AD, MSSQL, FTP, and SSH services.
- SMB exploitation via the infamous MS17-010 vulnerability (used in WannaCry).
- Lateral movement through RDP and SMB shares.
- Creation of domain accounts for persistent access.
“The attackers registered their malware as a service or a task scheduler… enabling long-term access,” the report warned.
To evade detection, malware is always run through legitimate processes, and ETW bypassing is built into loaders, further minimizing visibility in EDR platforms.
The use of multi-layered obfuscation, memory-resident malware, and legitimate software abuse shows that threat actors continue to evolve their toolkits for stealth and resilience.
“These attacks have persisted since December 2024 and are expected to remain active,” JPCERT/CC concluded.
Organizations using Ivanti Connect Secure or similar remote access solutions should patch vulnerabilities promptly, monitor scheduled task anomalies, and deploy advanced behavioral detection systems to counter the tactics outlined in JPCERT’s report.
Related Posts:
- JPCERT Exposes ‘MalDoc in PDF’: The Stealthy Cyber Threat
- UNC5174: Chinese Threat Actor Deploys New VShell RAT in Campaign
- PoC Exploit Released for Ivanti Connect Secure Flaw CVE-2025-0282 Used in Attacks
- Operation DRAGONCLONE: China Mobile Tietong Hit by Advanced APT Attack
- Critical 0-Day: Cityworks Flaw Actively Exploited by Chinese APT UAT-6382
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
