Pierluigi Paganini April 25, 2025

Researchers identified a new malware, named DslogdRAT, deployed after exploiting a now-patched flaw in Ivanti Connect Secure (ICS).

JPCERT/CC researchers reported that a new malware, dubbed DslogdRAT, and a web shell were deployed by exploiting a zero-day vulnerability during attacks on Japanese organizations in December 2024.

The vulnerability, tracked as CVE-2025-0282 (CVSS score: 9.0), is a stack-based buffer overflow that impacts Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3.

An unauthenticated attacker can exploit the flaw to achieve remote code execution. A local authenticated attacker can trigger the vulnerability to escalate privileges.  

In January, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw CVE-2025-0282 (CVSS score: 9.0) to its Known Exploited Vulnerabilities (KEV) catalog.

In March 2025, Microsoft warned that China-backed APT Silk Typhoon linked to US Treasury hack, is now targeting global IT supply chains, using IT firms to spy and move laterally. The APT group exploited the zero-day in January 2025 attacks.

JPCERT/CC now states that attackers used a Perl-based CGI web shell that checked for a specific DSAUTOKEN cookie value and, if matched, executed arbitrary commands via the system function—likely used to run DslogdRAT malware.

“This Perl script is executed as a CGI and retrieves the Cookie header from incoming HTTP requests. If the value of DSAUTOKEN= matches af95380019083db5, the script uses the system function to execute an arbitrary command specified in the request parameter data.”reads the report published by JPCERT/CC. “It is considered that attackers accessed this simple web shell to execute commands to run malware such as DslogdRAT, which is discussed in the next section.”

DslogdRAT spawns two child processes: one stays idle in a loop, while the second handles core functions like C2 communication and command execution via the pthread library.

“Upon execution, the main process of DslogdRAT creates a first child process and then terminates itself. The child process then decodes the configuration data and creates a second child process.” continues the report. “The first child process enters a loop routine including sleep intervals, and thus it never gets terminated. The second child process contains DslogdRAT core functionality, which includes the following:

• Create a worker thread and pass socket information for communication”
• Initiate communication with the C2 server based on configuration data

DslogdRAT’s configuration is XOR-encoded and hardcoded, the researchers noticed that it is set to operate only from 8 AM to 8 PM to blend in with normal business activity and evade detection.

DslogdRAT uses socket connections with simple XOR encoding for C2 communication. In its initial exchange, it sends basic host info. The malware supports proxy functionality, file upload and download capabilities and execution of shell commands.

Japanese experts also observed another malware, tracked as SPAWNSNARE, in the same compromised system. The same malware was previously reported by CISA and Google in April 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)