Chinese Hackers Undertaking A Global Infiltration Campaign 

Uploaded on 2025-04-18 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-China, FREE TO VIEW

A Chinese Advanced Persistent Threat (APT) Group has successfully exploited critical vulnerabilities in Ivanti Connect Secure VPN appliances to infiltrate organisations across 12 countries and 20 industries, according the Taiwan cyber security firm TeamT5.

The campaign, active since late March 2025, exploits the CVE-2025-0282 and CVE-2025-22457 vulnerabilities' stack-based buffer overflow flaws, which have maximum CVSS (Common Vulnerability Scoring System) scores of 9.0, to deploy the SPAWNCHIMERA malware suite and establish network access.

CVSS is a standard for assessing the severity of software vulnerabilities, assigning a numerical score from 0 to 10. This score helps organisations prioritise vulnerability remediation efforts by quantifying the potential impact of a vulnerability

The attacks targeted organisations in the UK, the US, Austria, Australia, France, Spain, Japan, South Korea, the Netherlands, Singapore, Taiwan and the UAE, Targeted industries include government agencies, financial institutions, telecommunications, law firms, and intergovernmental organisations.

The attackers mapped critical infrastructure, suggesting preparations for future disruptive operations. As geopolitical tensions escalate, the incident highlights the urgent need for proactive vulnerability management and cross-sector threat intelligence sharing.

The threat actors maintained covert access to victim networks for weeks, exfiltrating sensitive data, while evading detection through multi-layered command-and-control (C2) infrastructure and log-wiping tools.

The APT group has been identified as UNC5221 which, according to research by Mandiant, is connected to the  Chinese government, has successfully weaponised the Ivanti vulnerabilities to achieve unauthenticated Remote Code Execution (RCE). 

Once inside, attackers deployed SPAWNCHIMERA, a modular malware package designed specifically to exploit Ivanti appliances. The key malare components include:

  • SPAWNANT: A stealthy installer that bypasses integrity checks.
  • SPAWNMOLE: A SOCKS5 proxy for tunnelling traffic.
  • SPAWNSNAIL: An SSH backdoor for persistent access.
  • SPAWNSLOTH: A log-wiping tool to erase forensic evidence.

The malware’s dynamic patching capability allows it to modify vulnerable Ivanti components in memory, ensuring continued exploitation even after patches are applied. Security analysts at Rapid7 are reported to have confirmed the vulnerabilities’ weakness, reporting that CVE-2025-22457 initially appeared as a low-risk denial-of-service bug but was later weaponised for RCE.

Since April 2025, mass exploitation attempts have rendered many Ivanti VPN appliances unstable, with failed attacks causing widespread service disruptions. Despite Ivanti’s patches released in February, thousands of devices remain unpatched due to sluggish enterprise remediation efforts.

Mandiant warns that the SPAWNCHIMERA toolkit’s sophistication, including UNIX socket communication and obfuscated payloads, reflects China's growing focus on cyber espionage against geopolitical rivals.

TeamT5 urges affected organisations to:   

  • Immediately apply Ivanti’s version 22.7R2.5 patches.
  • Conduct full network forensic analyses to identify dormant malware.
  • Reset VPN appliances and revoke credentials exposed during breaches.

As Chinese APTs increasingly target legacy systems, the US Cybersecurity & Infrastructure Security Agency (CISA) required US federal agencies to patch Ivanti vulnerabilities by January 15, 2025, a deadline many missed, exacerbating the crisis.

 With over 1,700 devices compromised globally and exploitation attempts surging, analysts warn that the operational consequences could continue for years.

The campaign illustrates the risks of unpatched network edge devices, particularly VPN gateways,  and reinforces the  critical importance of proactive cyber security measures in mitigating risks posed by increasingly sophisticated nation-state level threat actors.

TeamT5  |   CISA  |   Google  |   Picus Secruity   |    Cybersecuity News  |   BobsGuide   |   CyberPress   |   

Varutra   |    Security Online  

Image: Ideogram

You Might Also Read: 

Geopolitics, Nation-State Hackers & Cyberwar:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Google's Online Advertising Technology Ruled Illegal
European Military & Government Data Networks Targeted »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

TrustedSec

TrustedSec

TrustedSec is an information security consulting services, providing tailored solutions and services for small, mid, and large businesses.

Foundation Futuristic Technologies (FFT)

Foundation Futuristic Technologies (FFT)

FFT is a global leader in computer forensics and digital investigation solutions.

Exprivia

Exprivia

Exprivia is active in the design, development and integration of IT systems including cyber security.

Cyphercor

Cyphercor

Cyphercor is a leading smartphone and desktop-based two-factor authentication (2FA) provider.

ODSC

ODSC

ODSC is a security systems integrator that provides services and expertise in identity management and access.

HUB Security

HUB Security

Hub Security provide Ultra Secure, Military Grade HSM (Hardware Security Module) Solutions for Blockchain and Digital Assets.

Global Cybersecurity Forum (GCF)

Global Cybersecurity Forum (GCF)

Global Cybersecurity Forum is a catalyst platform designed to create a more resilient and better cyberworld for all.

CYMOTIVE Technologies

CYMOTIVE Technologies

Combining Israeli cyber innovation with a century of German automotive engineering. CYMOTIVE operates under the assumption that connectivity is a game changer for the automotive industry.

ImmuniWeb

ImmuniWeb

We Simplify, Accelerate and Reduce Costs of Security Testing, Protection and Compliance.

Matrixforce

Matrixforce

Matrixforce is a vetted IT support provider that uses the patented Delta Method of streamlining technology for financial and professional service firms to reduce complexity and avoid risk.

QAlified

QAlified

QAlified offer independent testing and quality assurance services for software projects including security testing.

Ballistic Ventures

Ballistic Ventures

Ballistic Ventures is a new kind of venture capital firm, built by and for cybersecurity entrepreneurs and investors.

Trickest

Trickest

Trickest enables Enterprises, MSSPs, and Ethical Hackers to build automated offensive security workflows from prototype to production.

LT Harper

LT Harper

LT Harper specialise in cyber security recruitment. We believe in providing an individualised service to our customers whether they are looking for a new opportunity or to hire talent.

Securitribe

Securitribe

Securitribe provides cybersecurity and compliance solutions, including vCISO services, ISO27001, and ASD Essential 8 advisory, helping businesses and government strengthen security & compliance.

Dark Entry

Dark Entry

Dark Entry provide solutions to safeguard businesses, leveraging advanced technologies and intelligence-driven approaches to detect and mitigate risks associated with compromised data.