Between December 2024 and July 2025, attackers exploited two critical vulnerabilities in Ivanti Connect Secure (ICS) appliances: CVE‑2025‑0282 and CVE‑2025‑22457. These flaws allowed unauthenticated attackers to execute arbitrary code remotely, effectively turning vulnerable servers into hosts for malware. The first vulnerability was patched by Ivanti in January 2025, followed by the second in April 2025.
Introducing MDifyLoader and In-Memory Cobalt Strike
Researchers from JPCERT/CC discovered that attackers deployed a custom loader named MDifyLoader, built on the open-source libPeConv project. This loader decodes and runs an encrypted Cobalt Strike beacon directly in memory, specifically version 4.5 from December 2021, without writing anything to disk.
DLL Side-Loading Amplifies Infection
The infection technique used is DLL side-loading. Attackers placed malicious DLLs next to legitimate executables. When those executables ran, they unknowingly triggered the rogue DLLs, which activated MDifyLoader and injected the Cobalt Strike beacon into memory.
Additional Go-Built Tools: VShell and Fscan
Two additional Go-based tools were also found in the attack chain: VShell, a remote access utility, and Fscan, a network scanner. Both tools were loaded using DLL side-loading and played key roles in post-exploitation stages.
A peculiar observation: VShell checked whether the system locale was set to Chinese before executing. Attackers repeatedly uploaded new versions of VShell to bypass this check, suggesting they may have left a developer-only language flag active by mistake.
From Breach to Persistence: How Attackers Moved
Once inside the network, the attackers got aggressive:
- Launched brute-force attacks on FTP, MS-SQL, and SSH servers
- Attempted to exploit EternalBlue (MS17-010) for lateral movement
- Created new domain accounts and quietly added them to active groups to maintain access even if old credentials were revoked
To make sure they stayed inside, they also registered malware as system services or scheduled tasks, ensuring it would run at startup or under specific conditions.
What This Really Means
This isn’t just a one-off exploit. It’s a full attack chain that leverages unpatched ICS devices to inject loaders, execute in-memory payloads, and persist inside networks. The use of DLL side-loading and memory-only tools is part of a growing trend toward stealth attacks built to bypass antivirus software and avoid disk-based detection.
What Organizations Should Do
- Patch ICS appliances immediately. Both CVE‑2025‑0282 and CVE‑2025‑22457 are being actively exploited.
- Strengthen internal security, especially around credential hygiene and lateral movement prevention.
- Use EDR tools capable of detecting in-memory activity to hunt for suspicious DLLs and Cobalt Strike beacons.
- Review scheduled tasks and service registrations that might indicate unauthorized persistence.
Closing Thoughts
Attackers are evolving. These are no longer simple phishing attacks or firewall breaches. The use of ICS flaws and side-loading is part of a broader move toward stealthy, embedded intrusions. With these zero-days now out in the open and being exploited, it’s only a matter of time before copycat attacks ramp up. The window to act is short. Patch fast and tighten your defenses.
