Chinese Hackers Undertaking A Global Infiltration Campaign 

Uploaded on 2025-05-07 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-China, FREE TO VIEW

A Chinese Advanced Persistent Threat (APT) Group has successfully exploited critical vulnerabilities in Ivanti Connect Secure VPN appliances to infiltrate organisations across 12 countries and 20 industries, according the Taiwan cyber security firm TeamT5.

The campaign, active since late March 2025, exploits the CVE-2025-0282 and CVE-2025-22457 vulnerabilities' stack-based buffer overflow flaws, which have maximum CVSS (Common Vulnerability Scoring System) scores of 9.0, to deploy the SPAWNCHIMERA malware suite and establish network access.

CVSS is a standard for assessing the severity of software vulnerabilities, assigning a numerical score from 0 to 10. This score helps organisations prioritise vulnerability remediation efforts by quantifying the potential impact of a vulnerability

The attacks targeted organisations in the UK, the US, Austria, Australia, France, Spain, Japan, South Korea, the Netherlands, Singapore, Taiwan and the UAE, Targeted industries include government agencies, financial institutions, telecommunications, law firms, and intergovernmental organisations.

The attackers mapped critical infrastructure, suggesting preparations for future disruptive operations. As geopolitical tensions escalate, the incident highlights the urgent need for proactive vulnerability management and cross-sector threat intelligence sharing.

The threat actors maintained covert access to victim networks for weeks, exfiltrating sensitive data, while evading detection through multi-layered command-and-control (C2) infrastructure and log-wiping tools.

The APT group has been identified as UNC5221 which, according to research by Mandiant, is connected to the  Chinese government, has successfully weaponised the Ivanti vulnerabilities to achieve unauthenticated Remote Code Execution (RCE). 

Once inside, attackers deployed SPAWNCHIMERA, a modular malware package designed specifically to exploit Ivanti appliances. The key malare components include:

  • SPAWNANT: A stealthy installer that bypasses integrity checks.
  • SPAWNMOLE: A SOCKS5 proxy for tunnelling traffic.
  • SPAWNSNAIL: An SSH backdoor for persistent access.
  • SPAWNSLOTH: A log-wiping tool to erase forensic evidence.

The malware’s dynamic patching capability allows it to modify vulnerable Ivanti components in memory, ensuring continued exploitation even after patches are applied. Security analysts at Rapid7 are reported to have confirmed the vulnerabilities’ weakness, reporting that CVE-2025-22457 initially appeared as a low-risk denial-of-service bug but was later weaponised for RCE.

Since April 2025, mass exploitation attempts have rendered many Ivanti VPN appliances unstable, with failed attacks causing widespread service disruptions. Despite Ivanti’s patches released in February, thousands of devices remain unpatched due to sluggish enterprise remediation efforts.

Mandiant warns that the SPAWNCHIMERA toolkit’s sophistication, including UNIX socket communication and obfuscated payloads, reflects China's growing focus on cyber espionage against geopolitical rivals.

TeamT5 urges affected organisations to:   

  • Immediately apply Ivanti’s version 22.7R2.5 patches.
  • Conduct full network forensic analyses to identify dormant malware.
  • Reset VPN appliances and revoke credentials exposed during breaches.

As Chinese APTs increasingly target legacy systems, the US Cybersecurity & Infrastructure Security Agency (CISA) required US federal agencies to patch Ivanti vulnerabilities by January 15, 2025, a deadline many missed, exacerbating the crisis.

 With over 1,700 devices compromised globally and exploitation attempts surging, analysts warn that the operational consequences could continue for years.

In expert comment, Craig Watt,  Strategic Threat Intelligenec Consultant with Quorum Cyber said "Chinese state-sponsored threat groups are continuing to leverage vulnerability exploitation for initial access, with secondary operations involving lateral movement, maintaining persistence and quickly exfiltrating  data from victim environments. 

These types of operations will likely ramp up throughout the remainder of 2025 as Chinese actors create innovative attack chains to prepare for the next wave of long-term espionage targeting of Western assets to support its upcoming 15th 5-Year Plan starting at the beginning of 2026." Watt concludes

The campaign illustrates the risks of unpatched network edge devices, particularly VPN gateways,  and reinforces the  critical importance of proactive cyber security measures in mitigating risks posed by increasingly sophisticated nation-state level threat actors.

TeamT5  |   CISA  |   Google  |   Picus Secruity   |    Cybersecuity News  |   BobsGuide   |   CyberPress   |   

Varutra   |    Security Online  

Image: Ideogram

You Might Also Read: 

Geopolitics, Nation-State Hackers & Cyberwar:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Google's Online Advertising Technology Ruled Illegal
European Military & Government Data Networks Targeted »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

SecWest

SecWest

SecWest is the organizer of CanSecWest, PACSEC, originator of PWN2OWN, security auditing, and virtual engagement/training.

SonicWall

SonicWall

SonicWall provide products for network security, access security, email security & encryption.

PhishLine

PhishLine

PhishLine helps Information Security Professionals meet and overcome the increasing challenges associated with social engineering and phishing.

X-act Forensics

X-act Forensics

X-act forensics are computer forensic experts with experience in cases of computer fraud, intellectual property theft, and social networking cases.

IoT Now

IoT Now

IoT Now explores the evolving opportunities and challenges facing CSPs, and we pass on some lessons learned from those who have taken the first steps in next gen IoT services.

BigID

BigID

BigID is redefining personal data protection and privacy. BigID software helps companies secure their customer data & satisfy privacy regulations like GDPR.

Surevine

Surevine

Surevine builds secure, scalable collaboration solutions for the most security conscious organisations, enabling collaboration on their most sensitive information.

Agesic

Agesic

Agesic is an institution that leads the development of the Digital Government and the Information and Knowledge Society in Uruguay.

ditno

ditno

ditno uses machine learning to help you build a fully governed and micro-segmented network. Dramatically mitigate risk and prevent lateral movement across your organisation – all from one centralised

Internet Security Research Group (ISRG)

Internet Security Research Group (ISRG)

ISRG's mission is to reduce financial, technological, and educational barriers to secure communication over the Internet.

National Cyber Security Center (NCSC) - Vietnam

National Cyber Security Center (NCSC) - Vietnam

National Cyber Security Center of Vietnam has a central monitoring function and is a technical focal point for monitoring and supporting information security for people, businesses and systems.

Guidepost Solutions

Guidepost Solutions

Guidepost Solutions are a diverse, global team of investigators, experienced security and technology consultants, and compliance and monitoring experts.

CV-Library

CV-Library

Start your job search with 216,931 live UK vacancies on award-winning CV-Library. Register your CV and find local jobs near you today!

HashiCorp

HashiCorp

At HashiCorp, we believe infrastructure enables innovation, and we are helping organizations to operate that infrastructure in the cloud.

Cyber Intell Solution (CIS)

Cyber Intell Solution (CIS)

Cyber Intell Solution provide expert consulting, specialized products, and tailored operational services to governmental and corporate industry worldwide.

Styx Intelligence

Styx Intelligence

Styx Intelligence’s platform provides visibility and supports remediation against threats targeting your digital assets.