# JPCERT Warns of DslogdRAT Malware Deployed in Ivanti Connect Secure

In a recent warning, the Japan Public Security Research Institute (JPCERT/CC) has identified a new malware, dubbed DslogdRAT, that was deployed by exploiting a zero-day vulnerability in Ivanti Connect Secure (ICS). The vulnerability, tracked as CVE-2025-0282 (CVSS score: 9.0), is a stack-based buffer overflow that impacts Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3.

An unauthenticated attacker can exploit the flaw to achieve remote code execution, while a local authenticated attacker can trigger the vulnerability to escalate privileges. This highlights the critical nature of the exploit, which has already been demonstrated by attackers in December 2024.

## The Exploit and Malware

In January 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw CVE-2025-0282 (CVSS score: 9.0) to its Known Exploited Vulnerabilities (KEV) catalog. Microsoft also warned that China-backed APT Silk Typhoon was linked to a US Treasury hack and had started targeting global IT supply chains using IT firms to spy and move laterally.

The attackers used a Perl-based CGI web shell, which checked for a specific DSAUTOKEN cookie value. If the value matched, the script executed arbitrary commands via the system function — likely used to run DslogdRAT malware.

## DslogdRAT Malware Details

DslogdRAT spawns two child processes: one stays idle in a loop, while the second handles core functions like C2 communication and command execution via the pthread library. The main process of DslogdRAT creates a first child process and then terminates itself. The child process decodes the configuration data and creates a second child process.

The first child process enters a loop routine including sleep intervals, and thus it never gets terminated. This allows the malware to remain operational for extended periods.

## Key Features of DslogdRAT

DslogdRAT's configuration is XOR-encoded and hardcoded, with operations set to run only from 8 AM to 8 PM to blend in with normal business activity and evade detection. The malware uses socket connections with simple XOR encoding for C2 communication.

In its initial exchange, it sends basic host info. DslogdRAT supports proxy functionality, file upload and download capabilities, and execution of shell commands.

## Co-Infected Malware: SPAWNSNARE

Japanese experts also observed another malware, tracked as SPAWNSNARE, in the same compromised system. This malware was previously reported by CISA and Google in April 2025.

### Follow the latest security news on Twitter, Facebook, and Mastodon