Chinese state-backed threat operation UNC5221 has launched attacks exploiting the recently addressed Ivanti Endpoint Manager Mobile flaws, tracked as CVE-2025-4427 and CVE-2025-4428, against telecommunications, healthcare, government, defense, finance, and aviation organizations in North America, Europe, and the Asia-Pacific since May 15, The Hacker News reports.
Initial targeting of vulnerable Ivanti EPMM instances' "/mifs/rs/api/v2/" endpoint for remote code execution was followed by the delivery of the KrustyLoader malware for the subsequent deployment of Sliver and other payloads, an analysis from EclecticIQ revealed. UNC5221 then exploited hard-coded MySQL database credentials to infiltrate the mifs database and pilfer sensitive information valuable for further compromise, according to researchers, who also observed an Auto-Color backdoor-linked command-and-control server leveraged in the intrusions that strengthen associations with China-nexus activity. Such findings follow a GreyNoise report detailing that scanning for Ivanti Connect Secure and Pulse Secure has surged days before the disclosure of the EPMM vulnerabilities.
Initial targeting of vulnerable Ivanti EPMM instances' "/mifs/rs/api/v2/" endpoint for remote code execution was followed by the delivery of the KrustyLoader malware for the subsequent deployment of Sliver and other payloads, an analysis from EclecticIQ revealed. UNC5221 then exploited hard-coded MySQL database credentials to infiltrate the mifs database and pilfer sensitive information valuable for further compromise, according to researchers, who also observed an Auto-Color backdoor-linked command-and-control server leveraged in the intrusions that strengthen associations with China-nexus activity. Such findings follow a GreyNoise report detailing that scanning for Ivanti Connect Secure and Pulse Secure has surged days before the disclosure of the EPMM vulnerabilities.
