Chinese Hackers Target Global Organizations via Ivanti VPN Vulnerabilities

Since the spring of 2025, hacker groups linked to China have launched cyberattacks on organizations across 12 countries and more than 20 industries worldwide. These attacks were carried out by exploiting critical vulnerabilities in Ivanti Connect Secure VPN appliances.

Cybersecurity experts have identified two major vulnerabilities — CVE-2025-0282 and CVE-2025-22457 — which allow attackers to gain unauthorized access to systems and execute arbitrary code. Using these flaws, the hackers deployed a sophisticated malware toolkit called SPAWNCHIMERA into targeted networks.

This malicious toolkit includes the following components:

• SPAWNANT — a stealthy installer that bypasses integrity checks.
• SPAWNMOLE — a SOCKS5 proxy that secretly redirects network traffic.
• SPAWNSNAIL — an SSH backdoor for persistent, unauthorized access.
• SPAWNSLOTH — a log-wiping tool that erases forensic traces.

The attacks affected organizations in the United States, United Kingdom, UAE, Japan, South Korea, France, Spain, Austria, the Netherlands, Singapore, Taiwan, and Australia. Targeted sectors include government agencies, financial institutions, telecommunications companies, law firms, and international organizations.

These intrusions enabled attackers to maintain long-term stealth access to victim networks and exfiltrate sensitive information. A particularly alarming feature of the malware is its ability to remain functional even after official security patches are applied, significantly increasing the threat level.

Despite the availability of patches, some organizations have still not applied them, leaving their systems vulnerable to exploitation. The U.S. government had even mandated all federal agencies to apply the patches by January 15, 2025 — a deadline many failed to meet.

Any vulnerability in cybersecurity — especially in network edge devices like VPNs — can jeopardize the entire infrastructure of an organization. As Chinese APT groups become more professional and increasingly leverage cyber espionage as a geopolitical tool, it is crucial that we:

• Apply updates and patches promptly;
• Fully reset and reconfigure VPN appliances;
• Conduct in-depth analysis of network activity;
• Immediately investigate suspicious logins and system logs.

Failing to install security updates today could result in millions in damages and serious national security threats tomorrow.