Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Ivanti Zero-Days Exploited to Drop MDifyLoader and Launch In-Memory Cobalt Strike Attacks

The Hacker News by The Hacker News
July 18, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Jul 18, 2025Ravie LakshmananMalware / Vulnerability

Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances.

According to a report published by JPCERT/CC today, the threat actors behind the exploitation of CVE-2025-0282 and CVE-2025-22457 in intrusions observed between December 2024 and July 2025 have weaponized the vulnerabilities to drop MDifyLoader, which is then used to launch Cobalt Strike in memory.

CVE-2025-0282 is a critical security flaw in ICS that could permit unauthenticated remote code execution. It was addressed by Ivanti in early January 2025. CVE-2025-22457, patched in April 2025, concerns a stack-based buffer overflow that could be exploited to execute arbitrary code.

Cybersecurity

While both vulnerabilities have been weaponized in the wild as zero-days, previous findings from JPCERT/CC in April have revealed that the first of the two issues had been abused to deliver malware families like SPAWNCHIMERA and DslogdRAT.

The latest analysis of the attacks involving ICS vulnerabilities has unearthed the use of DLL side-loading techniques to launch MDifyLoader that includes an encoded Cobalt Strike beacon payload. The beacon has been identified as version 4.5, which was released in December 2021.

“MDifyLoader is a loader created based on the open-source project libPeConv,” JPCERT/CC researcher Yuma Masubuchi said. “MDifyLoader then loads an encrypted data file, decodes Cobalt Strike Beacon, and runs it on memory.”

Also put to use is a Go-based remote access tool named VShell and another open-source network scanning utility written in Go called Fscan. It’s worth noting that both programs have been adopted by various Chinese hacking groups in recent months.

The execution flow of Fscan

Fscan has been found to be executed by means of a loader, which, in turn, is launched using DLL side-loading. The rogue DLL loader is based on the open-source tool FilelessRemotePE.

“The used VShell has a function to check whether the system language is set to Chinese,” JPCERT/CC said. “The attackers repeatedly failed to execute VShell, and it was confirmed that each time they had installed a new version and attempted execution again. This behavior suggests that the language-checking function, likely intended for internal testing, was left enabled during deployment.”

Cybersecurity

Upon gaining a foothold into the internal network, the attackers are said to have carried out brute-force attacks against FTP, MS-SQL, and SSH servers and leveraged the EternalBlue SMB exploit (MS17-010) in an attempt to extract credentials and laterally move across the network.

“The attackers created new domain accounts and added them to existing groups, allowing them to retain access even if previously acquired credentials were revoked,” Masubuchi said.

“These accounts blend in with normal operations, enabling long-term access to the internal network. Additionally, the attackers registered their malware as a service or a task scheduler to maintain persistence, ensuring it would run at system startup or upon specific event triggers.”



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
“Deeply human, empathetic service backed by elite technical performance”: One Step GPS Wins 2025 Grand Stevie® Award

"Deeply human, empathetic service backed by elite technical performance": One Step GPS Wins 2025 Grand Stevie® Award

Recommended.

Coveo Announces Date of Fiscal First Quarter 2026 Conference Call

Coveo Announces Date of Fiscal First Quarter 2026 Conference Call

July 10, 2025
I Opted Out of AI Training. Does This Reduce My Future Influence?

I Opted Out of AI Training. Does This Reduce My Future Influence?

March 27, 2025

Trending.

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

May 19, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio