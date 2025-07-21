Threat actors have been leveraging a pair of zero-day vulnerabilities impacting Ivanti Connect Secure appliances, tracked as CVE-2025-0282 and CVE-2025-22457, to deploy the new MDifyLoader malware as part of attacks that have been underway since December, according to The Hacker News.
Aside from having the MDifyLoader malware deliver the Cobalt Strike beacon in-memory via DLL side-loading, intrusions also involved the VShell remote access tool and the Fscan open-source network scanning utility to facilitate internal network access, a report from Japan's Computer Emergency Response Team Coordination Center showed. Microsoft SQL, FTP, and SSH servers were then targeted in brute-force attacks with the EternalBlue SMB exploit for credential theft, lateral movement, and subsequent new domain account creation. "These accounts blend in with normal operations, enabling long-term access to the internal network. Additionally, the attackers registered their malware as a service or a task scheduler to maintain persistence, ensuring it would run at system startup or upon specific event triggers," said JPCERT/CC researcher Yuma Masubuchi.
