DslogdRAT Malware
At the end of 2024, cybersecurity experts uncovered a new Remote AccesTrojan (RAT) dubbed DslogdRAT, installed on compromised Ivanti Connect Secure (ICS) devices. Threat actors exploited a critical zero-day vulnerability, tracked as CVE-2025-0282, which allowed unauthenticated remote code execution. Ivanti tackled this vulnerability at the beginning of January 2025, but not before organizations in Japan had already been selected.
Table of Contents
Cracking the Door: Initial Access through Web Shell
The attackers’ first move involved deploying a lightweight, Perl-based web shell disguised as a CGI script. This backdoor was checked for a specific cookie value, DSAUTOKEN=af95380019083db5, before executing commands. Through this access, attackers were able to launch further malware, notably DslogdRAT.
Under the Radar: DslogdRAT’s Multi-Stage Attack Flow
DslogdRAT operates through a clever, multi-stage process to evade detection:
Stage 1: The primary process spawns a child process responsible for decoding configuration data and launching a second core process.
Stage 2: A persistent parent process remains active, incorporating sleep intervals to minimize detection risk.
Stage 3: The second child process initiates core RAT functionalities, including system communication and command execution.
This architecture guarantees resilience and stealthiness, making it challenging for defenders to uncover and terminate the malware.
Secret Conversations: Custom Communication Techniques
Communication with the Command-and-Control (C2) server occurs via sockets, using a custom XOR-based encoding scheme. The encoded messages include critical system fingerprints and adhere to a strict communication format.
DslogdRAT supports several key functionalities:
- File upload and download
- Shell command execution
- Proxy setup to route malicious traffic
These capabilities allow attackers to maintain firm control over infected systems and pivot deeper into networks.
Business Hours Only: Clever Tactics to Avoid Detection
An unusual feature of DslogdRAT is its built-in operational schedule: it only runs between 8:00 AM and 8:00 PM. Outside these hours, it stays dormant, mimicking standard user activity patterns and minimizing the risk of detection during off-hours.
More than One Threat: Discovery of SPAWNSNARE
Alongside DslogdRAT, another malware named SPAWNSNARE was found on affected systems. While it remains unclear whether these malware are part of the same campaign or directly tied to the group UNC5221, their simultaneous presence hints at coordinated activities by sophisticated threat actors.
A Growing Threat: New Exploits in 2025
In April 2025, security researchers revealed that another vulnerability, CVE-2025-22457, had also been weaponized to deploy malware. This newer campaign has been attributed to UNC5221, believed to be a Chinese hacking group. However, experts are still investigating whether this activity is connected to the earlier attacks involving the SPAWN malware family.
