Chinese cyberespionage operations have been targeting Ivanti Connect Secure VPN appliances impacted by the zero-day flaw, tracked as CVE-2025-0282, since the middle of December, according to The Record, a news site by cybersecurity firm Recorded Future.
Attacks exploiting the vulnerability — which the Cybersecurity and Infrastructure Security Agency ordered to be remediated by Jan. 15 — not only deployed the SPAWN malware previously launched by Chinese state-backed intrusions involving Ivanti Connect Secure bugs but also the novel PHASEJAM and DRYHOOK payloads in an attempt to compromise databases with credentials, API keys, VPN sessions, and certificates, a report from Mandiant researchers revealed. "...[D]efenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access. Additionally, if proof-of-concept exploits for CVE-2025-0282 are created and released, Mandiant assesses it is likely additional threat actors may attempt targeting Ivanti Connect Secure appliances," said the report. Such findings follow the attribution of the recent attack against the Treasury Department and its Office of Foreign of Assets Control to Chinese Silk Typhoon hackers.
