Chinese Hackers Undertaking A Global Infiltration Campaign 

A Chinese Advanced Persistent Threat (APT) Group has successfully exploited critical vulnerabilities in Ivanti Connect Secure VPN appliances to infiltrate organisations across 12 countries and 20 industries, according the Taiwan cyber security firm TeamT5.

The campaign, active since late March 2025, exploits the CVE-2025-0282 and CVE-2025-22457 vulnerabilities' stack-based buffer overflow flaws, which have maximum CVSS (Common Vulnerability Scoring System) scores of 9.0, to deploy the SPAWNCHIMERA malware suite and establish network access.

CVSS is a standard for assessing the severity of software vulnerabilities, assigning a numerical score from 0 to 10. This score helps organisations prioritise vulnerability remediation efforts by quantifying the potential impact of a vulnerability

The attacks targeted organisations in the UK, the US, Austria, Australia, France, Spain, Japan, South Korea, the Netherlands, Singapore, Taiwan and the UAE, Targeted industries include government agencies, financial institutions, telecommunications, law firms, and intergovernmental organisations.

The attackers mapped critical infrastructure, suggesting preparations for future disruptive operations. As geopolitical tensions escalate, the incident highlights the urgent need for proactive vulnerability management and cross-sector threat intelligence sharing.

The threat actors maintained covert access to victim networks for weeks, exfiltrating sensitive data, while evading detection through multi-layered command-and-control (C2) infrastructure and log-wiping tools.

The APT group has been identified as UNC5221 which, according to research by Mandiant, is connected to the  Chinese government, has successfully weaponised the Ivanti vulnerabilities to achieve unauthenticated Remote Code Execution (RCE). 

Once inside, attackers deployed SPAWNCHIMERA, a modular malware package designed specifically to exploit Ivanti appliances. The key malare components include:

  • SPAWNANT: A stealthy installer that bypasses integrity checks.
  • SPAWNMOLE: A SOCKS5 proxy for tunnelling traffic.
  • SPAWNSNAIL: An SSH backdoor for persistent access.
  • SPAWNSLOTH: A log-wiping tool to erase forensic evidence.

The malware’s dynamic patching capability allows it to modify vulnerable Ivanti components in memory, ensuring continued exploitation even after patches are applied. Security analysts at Rapid7 are reported to have confirmed the vulnerabilities’ weakness, reporting that CVE-2025-22457 initially appeared as a low-risk denial-of-service bug but was later weaponised for RCE.

Since April 2025, mass exploitation attempts have rendered many Ivanti VPN appliances unstable, with failed attacks causing widespread service disruptions. Despite Ivanti’s patches released in February, thousands of devices remain unpatched due to sluggish enterprise remediation efforts.

Mandiant warns that the SPAWNCHIMERA toolkit’s sophistication, including UNIX socket communication and obfuscated payloads, reflects China's growing focus on cyber espionage against geopolitical rivals.

TeamT5 urges affected organisations to:   

  • Immediately apply Ivanti’s version 22.7R2.5 patches.
  • Conduct full network forensic analyses to identify dormant malware.
  • Reset VPN appliances and revoke credentials exposed during breaches.

As Chinese APTs increasingly target legacy systems, the US Cybersecurity & Infrastructure Security Agency (CISA) required US federal agencies to patch Ivanti vulnerabilities by January 15, 2025, a deadline many missed, exacerbating the crisis.

 With over 1,700 devices compromised globally and exploitation attempts surging, analysts warn that the operational consequences could continue for years.

The campaign illustrates the risks of unpatched network edge devices, particularly VPN gateways,  and reinforces the  critical importance of proactive cyber security measures in mitigating risks posed by increasingly sophisticated nation-state level threat actors.

TeamT5  |   CISA  |   Google  |   Picus Secruity   |    Cybersecuity News  |   BobsGuide   |   CyberPress   |   

Varutra   |    Security Online  

Image: Ideogram

You Might Also Read: 

Geopolitics, Nation-State Hackers & Cyberwar:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Google's Online Advertising Technology Ruled Illegal
European Military & Government Data Networks Targeted »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Bugcrowd

Bugcrowd

As leaders in crowdsourced security testing, Bugcrowd connects companies and their applications to a crowd of tens of thousands of security researchers to identify critical software vulnerabilities.

Trustlook

Trustlook

Trustlook's SECUREai engine delivers the performance and scalability needed to provide total threat protection against malware and other forms of attack.

Coursera

Coursera

Coursera provides universal access to the world’s best education, partnering with top universities and organizations to offer courses online. Subject areas include Computer Security & Networks.

DynaRisk

DynaRisk

DynaRisk helps companies protect their staff, clients and supply chain from cyber threats by enabling people to take action for themselves.

Cyber Craft

Cyber Craft

CyberCraft is an innovative and dynamic software development, outsourcing and consulting company. Services offered include penetration testing.

DQM GRC

DQM GRC

DQM GRC are one of the UK's leading providers of data governance, e-privacy and GDPR services, to commercial organisations across all industries in the UK.

Secure-IC

Secure-IC

Secure-IC provide end-to-end, best-of-breed security expertise, solutions, and hardware & software technologies, for embedded systems and connected objects.

Leidos

Leidos

Leidos is a recognized leader in cybersecurity across the federal government, bringing more than a decade of experience defending cyber interests globally.

Navixia

Navixia

As a leading Swiss IT security specialist, Navixia offers a global and pragmatic approach to information security.

Boxphish

Boxphish

Boxphish provides a proven solution to reduce Human Error and Cyber Human Risk via automated learning journeys and intelligent phishing simulations.

CyberPeace Foundation

CyberPeace Foundation

CPF is a think tank of cybersecurity and policy experts with the vision of pioneering Cyber Peace Initiatives to build collective resiliency against CyberCrimes and global threats of cyber warfare.

European Cybersecurity Competence Centre (ECCC)

European Cybersecurity Competence Centre (ECCC)

The ECCC aims to increase Europe’s cybersecurity capacities and competitiveness, working together with a Network of National Coordination Centres to build a strong cybersecurity Community.

Riot Security

Riot Security

In today's world, most successful cyberattacks start by a human failure. Riot have developed a platform that makes it easy to prepare your employees for cyberattacks, in a way they love.

SequelNet

SequelNet

SequelNet is an emerging MSP, providing 360° business IT solutions and consulting services.

Kaine Mathrick Tech (KMT)

Kaine Mathrick Tech (KMT)

KMT deliver comprehensive cyber-first outsourced technology support and solutions that scale with your business.

Exertis Cybersecurity

Exertis Cybersecurity

Exertis Cybersecurity is a sub-division of Exertis Enterprise. We provide market-leading cybersecurity solutions that help to address the cybersecurity challenges that organisations face today.