Cybersecurity experts have identified a new malware, MDifyLoader, used in attacks targeting Ivanti Connect Secure (ICS) appliances by exploiting two vulnerabilities, CVE-2025-0282 and CVE-2025-22457. These flaws, patched in early 2025, allowed remote code execution and were abused as zero-days to deliver malicious payloads. MDifyLoader, based on the open-source libPeConv project, decrypts and executes an in-memory Cobalt Strike beacon (version 4.5) via DLL side-loading.
The attackers also employed a Go-based remote access tool, VShell, and a network scanner called Fscan, both linked to Chinese threat groups. VShell included a language-checking feature, possibly left enabled by mistake. Once inside the network, the hackers performed brute-force attacks on FTP, MS-SQL, and SSH servers and used EternalBlue to move laterally.
To maintain persistence, they created disguised domain accounts, scheduled malicious tasks, and registered malware as a service, ensuring long-term access even if credentials were revoked.
Read more...