DslogdRAT Malware Targets Organizations & Their Data
DslogdRAT is a highlighted cyber security threat, which represents the latest tool in a series of sophisticated cyber intrusions targeting critical systems worldwide.
Table of Contents
What is DslogdRAT?
DslogdRAT first came to light after cybersecurity experts uncovered its installation following the exploitation of a now-resolved vulnerability in Ivanti Connect Secure (ICS), a widely used remote access solution. The flaw in question, identified as CVE-2025-0282, allowed attackers to execute code remotely without any need for user authentication. Although Ivanti addressed the vulnerability with a patch in early January 2025, malicious actors had already been actively exploiting it as a zero-day during cyberattacks, particularly in Japan, as early as December 2024.
Some History On DslogdRAT
The exploitation of this vulnerability was traced back to a China-linked espionage group known as UNC5337. This group leveraged the flaw not only to deliver the newly discovered DslogdRAT but also to deploy a collection of malicious tools known as the SPAWN malware ecosystem alongside other strains like DRYHOOK and PHASEJAM. Interestingly, while SPAWN has been attributed to UNC5337, the use of DRYHOOK and PHASEJAM has not yet been linked to a specific actor.
Adding further complexity to the situation, updated versions of SPAWN, named SPAWNCHIMERA and RESURGE, have also been detected exploiting the same vulnerability. Another group, UNC5221, has reportedly utilized a separate flaw in ICS (CVE-2025-22457) to propagate similar malware variants. However, current investigations have yet to determine if DslogdRAT is directly connected to these broader operations involving SPAWN.
How The Attacks Occur
The typical attack chain involving DslogdRAT begins with attackers taking advantage of the CVE-2025-0282 vulnerability to implant a web shell — a script that allows remote control over a compromised server. This web shell then acts as a springboard to deploy DslogdRAT onto the targeted systems.
Once embedded, DslogdRAT establishes a connection with an external server through a socket link. It collects and transmits basic information about the infected system and remains poised to receive further commands. These instructions could range from executing arbitrary shell commands to uploading or downloading files and even using the compromised machine as a proxy to mask further malicious activities.
What Does It Mean Overall?
The emergence of DslogdRAT comes at a time of heightened activity against ICS and similar systems. Threat intelligence firm GreyNoise has reported a ninefold increase in suspicious scanning efforts directed at ICS and Ivanti Pulse Secure (IPS) appliances within just 24 hours. Over the past three months, more than 1,000 unique IP addresses have been involved in this scanning activity. Out of these, 255 addresses have been classified as actively malicious, often originating from TOR exit nodes, while 643 are flagged as suspicious, primarily linked to obscure hosting providers. The most frequent sources of these scans have been the United States, Germany, and the Netherlands.
Experts suggest that this surge in reconnaissance may be a sign of coordinated campaigns preparing for future exploitation, even though no specific new vulnerabilities have been officially tied to the observed scanning.
The Takeaway
The arrival of DslogdRAT reminds organizations of the persistent challenges they face in securing their digital infrastructures. While the malware's technical nature is concerning, its discovery also underscores the critical importance of proactive patch management, thorough monitoring of network activity, and timely incident response.
For businesses and institutions relying on remote access technologies like Ivanti Connect Secure, the key takeaway is clear: staying vigilant against emerging threats is not just recommended — it is essential. Regular updates, comprehensive threat detection measures, and staff training on cybersecurity best practices can go a long way in mitigating risks posed by malware like DslogdRAT.
As the cybersecurity community continues to investigate and monitor this threat, organizations are advised to review their exposure to vulnerable systems and strengthen their defensive strategies accordingly. Although the threat landscape is continually shifting, informed and agile responses remain the best defense.
