Chinese Hackers Undertaking A Global Infiltration Campaign 

A Chinese Advanced Persistent Threat (APT) Group has successfully exploited critical vulnerabilities in Ivanti Connect Secure VPN appliances to infiltrate organisations across 12 countries and 20 industries, according the Taiwan cyber security firm TeamT5.

The campaign, active since late March 2025, exploits the CVE-2025-0282 and CVE-2025-22457 vulnerabilities' stack-based buffer overflow flaws, which have maximum CVSS (Common Vulnerability Scoring System) scores of 9.0, to deploy the SPAWNCHIMERA malware suite and establish network access.

CVSS is a standard for assessing the severity of software vulnerabilities, assigning a numerical score from 0 to 10. This score helps organisations prioritise vulnerability remediation efforts by quantifying the potential impact of a vulnerability

The attacks targeted organisations in the UK, the US, Austria, Australia, France, Spain, Japan, South Korea, the Netherlands, Singapore, Taiwan and the UAE, Targeted industries include government agencies, financial institutions, telecommunications, law firms, and intergovernmental organisations.

The attackers mapped critical infrastructure, suggesting preparations for future disruptive operations. As geopolitical tensions escalate, the incident highlights the urgent need for proactive vulnerability management and cross-sector threat intelligence sharing.

The threat actors maintained covert access to victim networks for weeks, exfiltrating sensitive data, while evading detection through multi-layered command-and-control (C2) infrastructure and log-wiping tools.

The APT group has been identified as UNC5221 which, according to research by Mandiant, is connected to the  Chinese government, has successfully weaponised the Ivanti vulnerabilities to achieve unauthenticated Remote Code Execution (RCE). 

Once inside, attackers deployed SPAWNCHIMERA, a modular malware package designed specifically to exploit Ivanti appliances. The key malare components include:

  • SPAWNANT: A stealthy installer that bypasses integrity checks.
  • SPAWNMOLE: A SOCKS5 proxy for tunnelling traffic.
  • SPAWNSNAIL: An SSH backdoor for persistent access.
  • SPAWNSLOTH: A log-wiping tool to erase forensic evidence.

The malware’s dynamic patching capability allows it to modify vulnerable Ivanti components in memory, ensuring continued exploitation even after patches are applied. Security analysts at Rapid7 are reported to have confirmed the vulnerabilities’ weakness, reporting that CVE-2025-22457 initially appeared as a low-risk denial-of-service bug but was later weaponised for RCE.

Since April 2025, mass exploitation attempts have rendered many Ivanti VPN appliances unstable, with failed attacks causing widespread service disruptions. Despite Ivanti’s patches released in February, thousands of devices remain unpatched due to sluggish enterprise remediation efforts.

Mandiant warns that the SPAWNCHIMERA toolkit’s sophistication, including UNIX socket communication and obfuscated payloads, reflects China's growing focus on cyber espionage against geopolitical rivals.

TeamT5 urges affected organisations to:   

  • Immediately apply Ivanti’s version 22.7R2.5 patches.
  • Conduct full network forensic analyses to identify dormant malware.
  • Reset VPN appliances and revoke credentials exposed during breaches.

As Chinese APTs increasingly target legacy systems, the US Cybersecurity & Infrastructure Security Agency (CISA) required US federal agencies to patch Ivanti vulnerabilities by January 15, 2025, a deadline many missed, exacerbating the crisis.

 With over 1,700 devices compromised globally and exploitation attempts surging, analysts warn that the operational consequences could continue for years.

In expert comment, Craig Watt,  Strategic Threat Intelligenec Consultant with Quorum Cyber said "Chinese state-sponsored threat groups are continuing to leverage vulnerability exploitation for initial access, with secondary operations involving lateral movement, maintaining persistence and quickly exfiltrating  data from victim environments. 

These types of operations will likely ramp up throughout the remainder of 2025 as Chinese actors create innovative attack chains to prepare for the next wave of long-term espionage targeting of Western assets to support its upcoming 15th 5-Year Plan starting at the beginning of 2026." Watt concludes

The campaign illustrates the risks of unpatched network edge devices, particularly VPN gateways,  and reinforces the  critical importance of proactive cyber security measures in mitigating risks posed by increasingly sophisticated nation-state level threat actors.

TeamT5  |   CISA  |   Google  |   Picus Secruity   |    Cybersecuity News  |   BobsGuide   |   CyberPress   |   

Varutra   |    Security Online  

Image: Ideogram

You Might Also Read: 

Geopolitics, Nation-State Hackers & Cyberwar:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Google's Online Advertising Technology Ruled Illegal
European Military & Government Data Networks Targeted »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CUIng.org

CUIng.org

The CUIng initiative was launched to tackle the problem of criminal exploitation of information hiding techniques.

Verint Systems

Verint Systems

Verint is a leader in CX automation. The world’s most iconic brands rely on our open platform and team of AI-powered bots to create tangible AI business outcomes, now.

Aspisec

Aspisec

Aspisec is a cybersecurity company specialized in Firmware Security and Critical Infrastructure Protection.

EMnify

EMnify

EMnify is a Software-as-a-Service (SaaS) company, revolutionizing cellular Internet of Things (IoT).

CyberGuru

CyberGuru

CyberGuru is a service provided by CyberSecurity Malaysia specializing in cyber security professional training and development.

TROOPERS

TROOPERS

TROOPERS InfoSec event consists of two days of high-end training, followed by a two-day, three-track conference, culminating in Roundtables on the final day.

OurCrowd

OurCrowd

OurCrowd is a leading equity crowdfunding platform for investing in global startups.

CentricalCyber

CentricalCyber

CentricalCyber is a cyber risk consultancy and NIST CSF specialist set up to help business leaders better understand and manage cyber risk.

Infopercept Consulting

Infopercept Consulting

Infopercept is a leading cybersecurity company in India, providing a critical layer of security to protect business information, infrastructure & assets across the organization.

Orbus Software

Orbus Software

Orbus develops, markets and sells enterprise software which helps large, blue chip and government organisations across the globe to achieve digital transformation outcomes.

Ankura Consulting Group

Ankura Consulting Group

Ankura is a global expert services and advisory firm that delivers services and end-to-end solutions in a wide range of areas including cybersecurity and digital transformation.

Digital Silence

Digital Silence

Digital Silence is a world-class provider of information security research and consulting services.

OptimEyes.ai

OptimEyes.ai

OptimEyes.ai is a unique AI-powered, on-demand SaaS solution for cyber-security, data privacy and compliance risk modeling.

BCyber

BCyber

BCyber is a Swiss Cyber Security company that provides security products, training, and managed services to protect diverse IT and OT environments against cyber, physical, and cyber-physical threats.

AppSOC

AppSOC

AppSOC is a leader in Application Security Posture Management (ASPM) and Code-to-Cloud Vulnerability Management.

Rakuten Maritime

Rakuten Maritime

Rakuten Maritime is your trusted partner in maritime cybersecurity, offering comprehensive and proactive solutions tailored to every stage of a ship’s life cycle.