Ivanti Zero-Days Exploited to Drop MDifyLoader and Launch In-Memory Cobalt Strike Attacks

Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances.

According to a report published by JPCERT/CC today, the threat actors behind the exploitation of CVE-2025-0282 and CVE-2025-22457 in intrusions observed between December 2024 and July 2025 have weaponized the vulnerabilities to drop MDifyLoader, which is then used to launch Cobalt Strike in memory.

CVE-2025-0282 is a critical security flaw in ICS that could permit unauthenticated remote code execution. It was addressed by Ivanti in early January 2025. CVE-2025-22457, patched in April 2025, concerns a stack-based buffer overflow that could be exploited to execute arbitrary code.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

While both vulnerabilities have been weaponized in the wild as zero-days, previous findings from JPCERT/CC in April have revealed that the first of the two issues had been abused to deliver malware families like SPAWNCHIMERA and DslogdRAT.

The latest analysis of the attacks involving ICS vulnerabilities has unearthed the use of DLL side-loading techniques to launch MDifyLoader that includes an encoded Cobalt Strike beacon payload. The beacon has been identified as version 4.5, which was released in December 2021.

“MDifyLoader is a loader created based on the open-source project libPeConv,” JPCERT/CC researcher Yuma Masubuchi said. “MDifyLoader then loads an encrypted data file, decodes Cobalt Strike Beacon, and runs it on memory.”

Also put to use is a Go-based remote access tool named VShell and another open-source network scanning utility written in Go called Fscan. It’s worth noting that both programs have been adopted by various Chinese hacking groups in recent months.

The execution flow of Fscan

Fscan has been found to be executed by means of a loader, which, in turn, is launched using DLL side-loading. The rogue DLL loader is based on the open-source tool FilelessRemotePE.

“The used VShell has a function to check whether the system language is set to Chinese,” JPCERT/CC said. “The attackers repeatedly failed to execute VShell, and it was confirmed that each time they had installed a new version and attempted execution again. This behavior suggests that the language-checking function, likely intended for internal testing, was left enabled during deployment.”

Upon gaining a foothold into the internal network, the attackers are said to have carried out brute-force attacks against FTP, MS-SQL, and SSH servers and leveraged the EternalBlue SMB exploit (MS17-010) in an attempt to extract credentials and laterally move across the network.

“The attackers created new domain accounts and added them to existing groups, allowing them to retain access even if previously acquired credentials were revoked,” Masubuchi said.

“These accounts blend in with normal operations, enabling long-term access to the internal network. Additionally, the attackers registered their malware as a service or a task scheduler to maintain persistence, ensuring it would run at system startup or upon specific event triggers.”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.