The article details malware and tactics used in attacks targeting Ivanti Connect Secure vulnerabilities from December 2024 to July 2025. It describes MDifyLoader, a loader based on libPeConv, which deploys Cobalt Strike Beacon through DLL side-loading. The attackers also utilized vshell, a multi-platform RAT, and Fscan, a network scanning tool. After gaining initial access, the threat actors performed lateral movement using brute-force attacks, exploited vulnerabilities, and used stolen credentials. They established persistence by creating domain accounts and registering malware as services or scheduled tasks. The attackers employed various evasion techniques, including the use of legitimate files and ETW bypasses. Author: AlienVault
Related Tags:
MDifyLoader
VSHell
T1110.001
fscan
T1136.002
T1053.005
T1070.004
T1021.002
T1098
Associated Indicators:
F12250A43926DBA46DCFB6145B7F1A524C0EEAD82BD1A8682307D1F2F1F1E66F
699290A753F35AE3F05A7EA1984D95F6E6F21971A146714FCA5708896E5E6218
09087FC4F8C261A810479BB574B0ECBF8173D4A8365A73113025BD506B95E3D7
0CBF71EFA09EC4CE62D95C1448553314728ED5850720C8AD40352BFBB39BE99A
1652AB693512CD4F26CC73E253B5B9B0E342AC70AA767524264FEF08706D0E69
85F9819118AF284E6B00CE49FB0C85FF0C0B9D7A0589E1BB56A275ED91314965
9E91862B585FC4D213E9AAADD571435C1A007D326BD9B07B72DBECB77D1A27AC
54350D677174269B4DC25B0CCFB0029D6AEAC5ABBBC8D39EB880C9FD95691125
45ECB7B23B328AB762D8519E69738A20EB0CD5618A10ABB2C57A9C72582AA7E7