Recently fixed A couple of security deficiencies It affects the Mobile (EPMM) software IVANTI Endpoint Manager (EPMM) was used by China-NEXUS’s actor to focus on a wide range of sectors across Europe, North America and Asia Pacific.
The vulnerabilities that are tracked as CVE-2025-4427 (CVSS: 5,3) and CVE-2025-4428 (CVSS: 7 Last week, they turned to Ivanant.
Now, said in the report ECLECTICIQ, the vulnerability chain has been abused UNC5221Chinese Cyber Group know For orientation to Edge Network from at least 2023. Most recently the crew of hacking was also attributed To use efforts to SAP Netweaver, sensitive to CVE-2025-31324.
The Dutch cybersecurity campaign has stated that the earliest operation of operation goes back to May 15, 2025, and the attacks aimed at health care, telecommunications, aviation, municipal government, finance and defense.
“UNC5221 demonstrates a deep understanding of the internal architecture of the EPMM, changing the legitimate system components for hidden data exploitation,” Horde Bucca’s security researcher – Note. “Given the role of EPMM in management and pushing configurations for mobile businesses, successful exploitation can allow the subjects threatening to distance, manipulate or threaten thousands of managed devices in the organization.”
The attack sequence includes the focus on the final point “/MIFS/RS/API/V2/” To obtain an interactive backward shell and remote execution of arbitrary commands when deploying Ivanti EPMM. Then goes the deployment of the Krustyloader, a known forklift on rust, is attributed to the UNC5221, allowing you to provide additional useful loads such as Sliver.
The MIFS database -focused database using MySQL databases, stored in /mi/system/.mifpp to gain unauthorized database and sensitive data that could give them visibility to managed mobile devices, users LDAP, and LDAP users, and UPAPs, and UPAPs, and UPAP, and UPAP, and UPAP 365, were also noticed.
In addition, the incidents are characterized by the use of enchanted shell commands for the host exploration before giving up the Krustyloader from the AWS S3 bucket and the fast -back proxy (FRP) to facilitate the network intelligence and the lateral motion. It should be noted here that the FRP is an open source tool, widespread among Chinese hacking groups.
ECLECTICIQ said also identified the server of the team and control (C2) associated with CarculatorThe back of Linux, which was recorded by the Palo Alto Networks 42 unit used in universities and state organizations in North America and Asia between November to December 2024.
“The IP address 146.70.87 (.) 67: 45020, which was previously related to the auto-collar command and control of the infrastructure, was noticed that issuing from the output via CURL immediately after the operation of the Ivanti EPMM servers,”-said Biyukka. “This behavior corresponds to the production and bio-colored bio models. These indicators are most likely referring to China-NEXUS activities.”
The disclosure of information occurs when the Greynoise threatening firm noted that she witnessed a significant shock in the scanning activity aimed at Ivanti Connect Secure and Pulse Secure Products to the Cve-2025-4427 and Cve-2025-4428.
‘While the scan we observed – Note. “This is the leading indicator – the signal that the attackers carry out critical systems, potentially preparing for future operation.”
