China-Linked Hackers Exploit Ivanti VPN Zero-Day

Nominet, a major country code registry, recently experienced a network breach. The intrusion exploited a previously unknown vulnerability in Ivanti Connect Secure, a VPN product from Ivanti.

Nominet, which operates the .UK domain registry, announced the breach in a statement saying it had no evidence of data theft. The company added that its domain registration and management systems continue to operate normally.

Now, security researchers believe they’ve found the source of the Ivanti Connect Secure attacks, which have targeted a variety of organizations since at least mid-December: state-sponsored hacking groups based in China.

The attackers used the Ivanti Connect Secure exploit to drop a previously unreported malware family, tracked as Dryhook, in compromised environments. This was after the attackers used Ivanti Connect Secure to drop a web shell, allowing them to remotely control the affected appliances, according to Mandiant.

The Ivanti Connect Secure attack chain began with the exploitation of the Ivanti Connect Secure zero-day, according to Mandiant, which the firm says is confirmed by several independent sources. The zero-day, tracked as CVE-2025-0282, allows an attacker to remotely execute code on a Ivanti Connect Secure appliance without authentication, effectively giving them full control.

Following the initial exploitation of CVE-2025-0282, attackers leveraged a previously unreported web shell to deploy a new family of malware, Dryhook, to compromised Ivanti Connect Secure instances. Dryhook is a modular malware with a wide range of capabilities, including credential theft, lateral movement, privilege escalation, and further backdoor deployment. 

Dryhook has been observed in conjunction with several different toolsets, indicating that multiple groups are leveraging Ivanti Connect Secure to gain access to victim environments.

The Dryhook backdoor is capable of communicating with command-and-control (C2) infrastructure in multiple ways, including through the Tor anonymizing network, to avoid detection. 

Dryhook has been observed in the wild since early January 2025 and has been used to target organizations across a variety of sectors, including technology, government, finance, and manufacturing.

In addition to Dryhook, attackers also leveraged the malware families Phasejam and Spawn in attacks against Ivanti Connect Secure customers. Spawn, a malware family previously reported by FireEye (prior to its acquisition by Mandiant) in connection with the China-based group UNC5337, has been used by UNC5337 to target victims in the technology, finance, and other sectors. Meanwhile, Phasejam — which shares similarities with Spawn — has been used by a second China-based group, UNC5221, to target the same victim environments as UNC5337. 

Spawn and Phasejam have both been observed since early January and are likely still active in some compromised environments. The Ivanti Connect Secure series of attacks are the latest in a long line of attempts by China-based hackers to compromise VPNs. In April 2024, for example, a previously unreported zero-day vulnerability in Pulse Secure’s VPN servers — which Ivanti now owns — was exploited by a Chinese espionage group to target U.S. government organizations, as well as organizations in Europe and the Middle East.

Federal agencies in the U.S. had to scramble to apply patches to Pulse Secure devices to prevent compromise, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that the hackers had likely backdoored thousands of Pulse Secure appliances.

Spawn was used by a group tracked as UNC5337 in the past, and now Mandiant believes that UNC5337 — or at least a group operating under the UNC5337 name — might be to blame for the Ivanti Connect Secure compromises. The Spawn malware was first observed in the wild in mid-December 2024, Mandiant says, after UNC5337 exploited the Ivanti Connect Secure vulnerabilities.