Ivanti Zero-Days Exploited to Drop MDifyLoader and Launch In-Memory Cobalt Strike Attacks
Briefly

MDifyLoader is a new malware associated with cyber attacks exploiting Ivanti Connect Secure vulnerabilities CVE-2025-0282 and CVE-2025-22457. These flaws allow unauthorized remote code execution and have been weaponized to drop MDifyLoader, which subsequently launches Cobalt Strike in memory. DLL side-loading techniques are utilized by threat actors to deploy this malware. Concurrently, a Go-based tool known as VShell and the network scanning utility Fscan are also being adopted by Chinese hacking groups. Both programs employ DLL side-loading methods for execution.
MDifyLoader is a loader created based on the open-source project libPeConv. MDifyLoader then loads an encrypted data file, decodes Cobalt Strike Beacon, and runs it on memory.
The latest analysis of the attacks involving ICS vulnerabilities has unearthed the use of DLL side-loading techniques to launch MDifyLoader that includes an encoded Cobalt Strike beacon payload.
Read at The Hacker News
[
|
]