Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware

Networks protected by Ivanti VPN are under active attack by well-resourced hackers who are exploiting a critical vulnerability that gives them complete control over devices connected to the network.

Equipment manufacturer Ivanti has disclosed a vulnerability tracked as CVE-2025-0282. on Wednesday and warned that it was being actively used against some clients. The vulnerability, which is used by hackers to execute malicious code without the need for authentication, is present in the company’s Connect Secure VPN, as well as Policy Secure and ZTA Gateways. At the same time, Ivanti released a security patch. It updates Connect Secure devices to version 22.7R2.5.

Well written, multifaceted

According to Google-owned security provider Mandiant, the vulnerability was actively used against “multiple compromised Ivanti Connect Secure devices” since mid-December December, about three weeks before the then-zero day came to light. Taking advantage of the vulnerability, attackers install two previously unseen malicious packages, tracked under the names DRY HOOK And FAZEDJAM on some jailbroken devices.

PHASEJAM is a well-written and feature-rich Bash shell script. It first installs a web shell that gives remote hackers privileged control over the devices. It then introduces a function into the Connect Secure update engine designed to simulate the update process.

“If an ICS administrator attempts an upgrade, the feature displays a visually compelling upgrade process that shows each of the steps along with a varying number of dots to simulate the current process,” Mandiant said. The company continued:

PHASEJAM injects a malicious function called processUpgradeDisplay() into the file /home/perl/DSUpgrade.pm. The functionality is designed to simulate an update process consisting of 13 stages, each of which takes a predetermined amount of time. If an ICS administrator attempts to perform an upgrade, the feature displays a visually compelling upgrade process that shows each of the steps along with a varying number of points to simulate the current process. For more information, see the System Update Continuity section.

The attackers are also using previously spotted malware, tracked as They will spawn on some devices. One of its features is to disable the Integrity Check Tool (ICT) that Ivanti has built into recent versions of VPNs to check device files for unauthorized additions. SpawnAnt does this by replacing the expected SHA256 cryptographic hash of the main file with its post-infection hash. As a result, when the tool is run on jailbroken devices, administrators see the following screen: