Chinese Espionage Group Targeting Legacy Ivanti VPN Devices

More Evidence Surfaces of Chinese Hackers Targeting Ivanti Products Jayant Chakravarti (@JayJay_Tech) • April 4, 2025

A suspected Chinese cyberespionage operation is behind a spate of malware left on VPN appliances made by Ivanti. The threat actor used a critical security vulnerability the beleaguered Utah company patched in February - likely further evidence of Chinese hackers' proclivity for quickly exploiting recently patched flaws and for targeting Ivanti products.

See Also: Financial & Banking Services: Cybersecurity Trends from Expel’s 2025 Annual Threat Report

Researchers at Mandiant Thursday wrote that a threat group it tracks as UNC5221 used a stack-based buffer overflow in Ivanti Connect Secure to leave behind malware from the Spawn ecosystem, closely associated with Chinese nation-state operations. Mandiant also detected two new malware families it dubbed "Trailblaze" and "Brushfire." As with previous Ivanti breaches traced to Beijing, hackers attempted to modify the internal Ivanti Integrity Checker Tool in ...