Security News > 2024 > January > Ivanti Connect Secure zero-days exploited to deploy custom malware
Hackers have been exploiting the two zero-day vulnerabilities in Ivanti Connect Secure disclosed this week since early December to deploy multiple families of custom malware for espionage purposes.
Zipline Passive Backdoor: custom malware that can intercept network traffic, supports upload/download operations, creating reverse shells, proxy servers, server tunneling.
Thinspool Dropper: custom shell script dropper that writes the Lightwire web shell onto Ivanti CS, securing persistence.
Wirefire web shell: custom Python-based web shell supporting unauthenticated arbitrary command execution and payload dropping.
Even without attribution, the use of custom malware that provides continued access indicates that "UNC5221 intended to maintain its presence on a subset of high priority targets" even after a patch became available.
Ivanti warns of Connect Secure zero-days exploited in attacks.
News URL
Related news
- Ivanti zero-day attacks infected devices with custom malware (source)
- Ivanti Connect Secure zero-day exploited by attackers (CVE-2025-0282) (source)
- Ivanti warns of new Connect Secure flaw used in zero-day attacks (source)
- Ivanti Connect Secure zero-day exploited since mid-December (CVE-2025-0282) (source)
- Zero-day exploits plague Ivanti Connect Secure appliances for second year running (source)
- Zero-Day Vulnerability in Ivanti VPN (source)
- Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast (source)
- Nominet probes network intrusion linked to Ivanti zero-day exploit (source)
- UK domain registry Nominet confirms breach via Ivanti zero-day (source)
- UK domain registry Nominet breached via Ivanti zero-day (source)