Chinese Hackers Undertaking A Global Infiltration Campaign 

Uploaded on 2025-05-07 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-China, FREE TO VIEW

A Chinese Advanced Persistent Threat (APT) Group has successfully exploited critical vulnerabilities in Ivanti Connect Secure VPN appliances to infiltrate organisations across 12 countries and 20 industries, according the Taiwan cyber security firm TeamT5.

The campaign, active since late March 2025, exploits the CVE-2025-0282 and CVE-2025-22457 vulnerabilities' stack-based buffer overflow flaws, which have maximum CVSS (Common Vulnerability Scoring System) scores of 9.0, to deploy the SPAWNCHIMERA malware suite and establish network access.

CVSS is a standard for assessing the severity of software vulnerabilities, assigning a numerical score from 0 to 10. This score helps organisations prioritise vulnerability remediation efforts by quantifying the potential impact of a vulnerability

The attacks targeted organisations in the UK, the US, Austria, Australia, France, Spain, Japan, South Korea, the Netherlands, Singapore, Taiwan and the UAE, Targeted industries include government agencies, financial institutions, telecommunications, law firms, and intergovernmental organisations.

The attackers mapped critical infrastructure, suggesting preparations for future disruptive operations. As geopolitical tensions escalate, the incident highlights the urgent need for proactive vulnerability management and cross-sector threat intelligence sharing.

The threat actors maintained covert access to victim networks for weeks, exfiltrating sensitive data, while evading detection through multi-layered command-and-control (C2) infrastructure and log-wiping tools.

The APT group has been identified as UNC5221 which, according to research by Mandiant, is connected to the  Chinese government, has successfully weaponised the Ivanti vulnerabilities to achieve unauthenticated Remote Code Execution (RCE). 

Once inside, attackers deployed SPAWNCHIMERA, a modular malware package designed specifically to exploit Ivanti appliances. The key malare components include:

  • SPAWNANT: A stealthy installer that bypasses integrity checks.
  • SPAWNMOLE: A SOCKS5 proxy for tunnelling traffic.
  • SPAWNSNAIL: An SSH backdoor for persistent access.
  • SPAWNSLOTH: A log-wiping tool to erase forensic evidence.

The malware’s dynamic patching capability allows it to modify vulnerable Ivanti components in memory, ensuring continued exploitation even after patches are applied. Security analysts at Rapid7 are reported to have confirmed the vulnerabilities’ weakness, reporting that CVE-2025-22457 initially appeared as a low-risk denial-of-service bug but was later weaponised for RCE.

Since April 2025, mass exploitation attempts have rendered many Ivanti VPN appliances unstable, with failed attacks causing widespread service disruptions. Despite Ivanti’s patches released in February, thousands of devices remain unpatched due to sluggish enterprise remediation efforts.

Mandiant warns that the SPAWNCHIMERA toolkit’s sophistication, including UNIX socket communication and obfuscated payloads, reflects China's growing focus on cyber espionage against geopolitical rivals.

TeamT5 urges affected organisations to:   

  • Immediately apply Ivanti’s version 22.7R2.5 patches.
  • Conduct full network forensic analyses to identify dormant malware.
  • Reset VPN appliances and revoke credentials exposed during breaches.

As Chinese APTs increasingly target legacy systems, the US Cybersecurity & Infrastructure Security Agency (CISA) required US federal agencies to patch Ivanti vulnerabilities by January 15, 2025, a deadline many missed, exacerbating the crisis.

 With over 1,700 devices compromised globally and exploitation attempts surging, analysts warn that the operational consequences could continue for years.

In expert comment, Craig Watt,  Strategic Threat Intelligenec Consultant with Quorum Cyber said "Chinese state-sponsored threat groups are continuing to leverage vulnerability exploitation for initial access, with secondary operations involving lateral movement, maintaining persistence and quickly exfiltrating  data from victim environments. 

These types of operations will likely ramp up throughout the remainder of 2025 as Chinese actors create innovative attack chains to prepare for the next wave of long-term espionage targeting of Western assets to support its upcoming 15th 5-Year Plan starting at the beginning of 2026." Watt concludes

The campaign illustrates the risks of unpatched network edge devices, particularly VPN gateways,  and reinforces the  critical importance of proactive cyber security measures in mitigating risks posed by increasingly sophisticated nation-state level threat actors.

TeamT5  |   CISA  |   Google  |   Picus Secruity   |    Cybersecuity News  |   BobsGuide   |   CyberPress   |   

Varutra   |    Security Online  

Image: Ideogram

You Might Also Read: 

Geopolitics, Nation-State Hackers & Cyberwar:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Google's Online Advertising Technology Ruled Illegal
European Military & Government Data Networks Targeted »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Irish Reporting & Information Security Service (IRISS)

Irish Reporting & Information Security Service (IRISS)

IRISS-CERT is Ireland's first CSIRT (Computer Security Incident Response Team) to provide services to all users within Ireland.

MetricStream

MetricStream

MetricStream provide integrated GRC solutions across business, IT, and security functions.

Opscura

Opscura

Opscura (formerly Enigmedia) brings the reliable and cautious hands of operations together with the analytical minds of cyber experts and cryptography researchers.

ThreatHunter.ai

ThreatHunter.ai

ThreatHunter.ai (formerly Milton Security) is a business that tracks down and mitigates attacks in real time using our ARGOS Platform and our Elite Threat Hunters.

CyberDefcon

CyberDefcon

CyberDefcon is an independent organization dedicated to the pursuit of making the internet a safer place.

RKH Specialty

RKH Specialty

RKH Specialty, part of the Hyperion Insurance Group, is a provider of specialty insurance services including Cyber Risk cover.

Massive Alliance

Massive Alliance

Massive is a global service agency providing internet monitoring, data & security threat surveillance and reputation management.

SCADAfence

SCADAfence

SCADAfence offers cutting edge cybersecurity solutions designed to ensure the operational continuity of industrial (ICS/SCADA) networks.

QOMPLX

QOMPLX

QOMPLX integrate, contextualize, and analyze data from virtually any source to help you identify operational risk and inefficiencies throughout the enterprise.

Center for Education & Research in Information Assurance & Security (CERIAS)

Center for Education & Research in Information Assurance & Security (CERIAS)

CERIAS is one of the world’s leading centers for research and education in areas of information and cyber security.

CoursesOnline

CoursesOnline

CoursesOnline.co.uk is a database listing IT security courses from providers across the UK.

Gula Tech Adventures

Gula Tech Adventures

Gula Tech Adventures invests in companies and nonprofits that help close the gap in needed technology and workforce to defend the country in cyberspace.

Stratia Cyber

Stratia Cyber

Stratia Cyber is an independent, technology agnostic company providing high quality, pragmatic cyber security consultancy and expertise.

TokenEx

TokenEx

TokenEx Cloud Security Platform protects sensitive data to strengthen our clients' security postures while future-proofing their operations.

ITRM

ITRM

ITRM are one of the UK’s top managed service providers and offer a range of award-winning IT solutions, from ad-hoc consultancy to cyber security.

DOT Security

DOT Security

DOT Security provides advanced security services for businesses of all sizes.