Threat actors have exploited a zero-day flaw in Ivanti Connect Secure (CVE-2025-0282) to install a web shell and a remote access trojan (DslogdRAT), according to JPCERT/CC.
How DslogdRAT and the Web Shell Work
The attackers first used a simple backdoor to install DslogdRAT, a powerful remote access trojan (RAT) with advanced features.
When executed, DslogdRAT starts a main process that quickly shuts down after creating a hidden child process. This child process then deciphers its configuration using a basic XOR encryption method with the key 0x63.
This highlights the ongoing risks with Ivanti products and the urgent need for patching and strong monitoring. The attackers used a Perl-based CGI script as the web shell to handle incoming HTTP requests.
The malware is designed to run between 8:00 AM and 8:00 PM, likely to avoid suspicion by blending in with normal business activity.
A second hidden process manages communication with a command-and-control (C2) server using socket connections. It encrypts data with a basic 7-byte XOR method and can:
- Send system info,
- Upload or download files,
- Run shell commands,
- Act as a proxy.
Another threat, SPAWNSNARE, was also found on the same systems. This malware had been flagged earlier by CISA and Google, hinting at a larger attack possibly linked to known threat groups.
JPCERT/CC also warned about a related issue (CVE-2025-22457), showing that Ivanti systems remain a major target.
DslogdRAT uses advanced techniques like encoded configs and multi-threading with the pthread library to stay hidden and stable on infected systems.
Security Tip:
Organizations should check JPCERT/CC’s shared threat indicators and take immediate action—apply patches, monitor networks, and strengthen incident response plans to stay protected.
Leave A Comment