New Malware MDifyLoader Targets Ivanti Connect Secure Vulnerabilities
Cybersecurity experts have recently identified a new form of malware known as MDifyLoader, which has been linked to cyberattacks exploiting vulnerabilities in Ivanti Connect Secure (ICS) devices. This revelation was shared in a report from JPCERT/CC, detailing how these security flaws have been weaponized in various attacks between December 2024 and July 2025.
Understanding the Vulnerabilities
The vulnerabilities in question, CVE-2025-0282 and CVE-2025-22457, pose significant risks by allowing unauthorized remote code execution. Specifically, CVE-2025-0282 is a critical vulnerability that was patched by Ivanti in January 2025. Shortly thereafter, CVE-2025-22457, a stack-based buffer overflow vulnerability, received attention with a fix released in April 2025. These flaws have been exploited as zero-day vulnerabilities by threat actors, indicating a serious security gap that required urgent remediation.
How MDifyLoader Operates
According to the JPCERT/CC analysis, the emergence of MDifyLoader is linked to these vulnerabilities. Upon successful exploitation, MDifyLoader drops into the system and utilizes the notorious Cobalt Strike malware for further operations. The Cobalt Strike payload, recognized as version 4.5, introduced a new level of threat to affected systems, initiating a series of detrimental activities within the target environment.
As noted by JPCERT/CC researcher Yuma Masubuchi, "MDifyLoader is built on the libPeConv open-source project." Once downloaded, it secretly loads an encrypted data file and decodes the Cobalt Strike Beacon for execution in memory, thereby maintaining a stealthy presence on compromised machines.
Techniques Employed by Cybercriminals
The analysis also highlighted the use of DLL side-loading techniques to operate MDifyLoader effectively. This method allows the malware to leverage legitimate system processes to avoid detection. In addition to MDifyLoader, attackers have utilized a Go-based remote access tool named VShell and a network scanning utility known as Fscan, both of which have recently gained traction among various cybercriminal groups in China.
VShell’s Language Check
One interesting aspect of this operation involves VShell. The malware contains a function that checks if the system language is set to Chinese. Attackers faced multiple failures in executing VShell, leading to the installation of new versions in a bid to bypass this language check. This oversight indicates that the language-checking mechanism, presumably intended for internal deployment testing, was not disabled before the malware’s release.
Lateral Movement and Credential Harvesting
Once the attackers established their presence within the internal network, they escalated their efforts by performing brute-force attacks against FTP, MS-SQL, and SSH servers. They also exploited the EternalBlue SMB vulnerability (MS17-010) to extract credentials and facilitate lateral movement throughout the network.
Masubuchi further explained that the attackers created new domain accounts that blended seamlessly into existing groups. This tactic allowed them to maintain access even if previously taken credentials were revoked, providing a method for long-term infiltration into the network. To ensure their malware remained undetected, they registered it as a service or task scheduler, allowing it to execute automatically during system startups or triggered events.
A Heightened Cybersecurity Threat
The situation surrounding MDifyLoader and its associated vulnerabilities serves as a stark reminder of the evolving cybersecurity landscape. Organizations utilizing Ivanti Connect Secure appliances must prioritize security updates and implement robust monitoring strategies to mitigate the risks posed by such advanced threats. As the sophistication of cyberattacks continues to rise, proactive measures are essential for safeguarding sensitive data and maintaining network integrity.
