Particle.news
Download on the App Store
3 ARTICLES
·
3h ago

CISA Details Malware Used in Ivanti EPMM Exploits, Releases IoCs and Detection Rules

The agency explains how chained flaws enabled unauthenticated access leading to persistence on vulnerable servers.

Image

Overview

  • CISA published a technical analysis of two malware sets found after intrusions exploiting Ivanti EPMM, providing indicators of compromise, YARA, and a SIGMA rule.
  • Attackers chained CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (remote code execution) for unauthenticated arbitrary code execution.
  • Following public PoC code, threat actors accessed an EPMM server around May 15 to run recon commands, fetch files, map the network, create a heap dump, and dump LDAP credentials.
  • Two malware kits were dropped to the /tmp directory, each using a loader and a malicious listener delivered in segmented Base64 chunks via HTTP GET requests to the /mifs/rs/api/v2 endpoint.
  • CISA describes ReflectUtil.class injecting SecurityHandlerWanListener into Apache Tomcat to intercept and execute payloads, while WebAndroidAppInstaller.class decrypts a password with a hard-coded key to define and run a new class and returns encrypted output.