Hackers Exploiting Vulnerabilities in Ivanti Connect Secure to Deploy MetaRAT Malware
Summary:
In April 2025, a China-linked threat group launched a campaign targeting Japanese shipping and transportation companies, using several variants of the PlugX remote access trojan (RAT). To gain initial access, the actors leveraged vulnerabilities in Ivanti Connect Secure (ICS), particularly CVE-2024-21893 and CVE-2024-21887. This access was followed by the deployment of two new PlugX variants:
In this campaign, the actors employed DLL side-loading to launch MetaRAT and Talisman, following the exploitation of the ICS vulnerabilities. They then used the installed malware to perform reconnaissance, collect credentials, and move laterally across the organization’s network. In this case, actors harvested credentials for privileged Active Directory accounts. These credentials were used to move laterally to multiple servers, which were then infected with the PlugX variants to maintain a persistent foothold.
According to Japan’s cybersecurity firm LAC, the motive of this campaign was not immediate data exfiltration. Rather, the actors were focused on establishing a stable foothold and gathering credentials to enable future re-entry and conduct long-term cyber espionage.
Suggested Corrections:
Organizations should immediately apply security patches for CVE-2024-21893 and CVE-2024-21887 and monitor their systems for signs of compromise.
The presence of suspicious service registrations such as “sihosts” or registry keys named “matesile” may indicate active MetaRAT infections.
Additionally, checking for keylog files named “VniFile.hlp” in the %ALLUSERSPROFILE%\mates\ directory can help identify affected systems.
Link(s):
https://cybersecuritynews.com/hackers-exploiting-vulnerabilities-in-ivanti-connect-secure/
In April 2025, a China-linked threat group launched a campaign targeting Japanese shipping and transportation companies, using several variants of the PlugX remote access trojan (RAT). To gain initial access, the actors leveraged vulnerabilities in Ivanti Connect Secure (ICS), particularly CVE-2024-21893 and CVE-2024-21887. This access was followed by the deployment of two new PlugX variants:
- MetaRAT: MetaRAT is written in C++ and uses a custom shellcode with RC4 encryption and LZNT1 compression to deliver its payload, making detection and analysis more challenging. The RAT features enhanced obfuscation techniques, unique command-and-control (C2) protocols, and additional plugins such as keyloggers and port mapping tools
- Talisman: Another variant of PlugX, closely related to MetaRAT, with similar functionality but reported to be used by multiple China-based threat groups, including RedFoxtrot, Space Pirates, and Calypso. Talisman is typically written in C++ and is primarily employed for espionage, targeting government and telecommunications sectors. It shares infrastructure with MetaRAT, suggesting a likely connection between the two malware families and their operators
In this campaign, the actors employed DLL side-loading to launch MetaRAT and Talisman, following the exploitation of the ICS vulnerabilities. They then used the installed malware to perform reconnaissance, collect credentials, and move laterally across the organization’s network. In this case, actors harvested credentials for privileged Active Directory accounts. These credentials were used to move laterally to multiple servers, which were then infected with the PlugX variants to maintain a persistent foothold.
According to Japan’s cybersecurity firm LAC, the motive of this campaign was not immediate data exfiltration. Rather, the actors were focused on establishing a stable foothold and gathering credentials to enable future re-entry and conduct long-term cyber espionage.
Suggested Corrections:
Organizations should immediately apply security patches for CVE-2024-21893 and CVE-2024-21887 and monitor their systems for signs of compromise.
The presence of suspicious service registrations such as “sihosts” or registry keys named “matesile” may indicate active MetaRAT infections.
Additionally, checking for keylog files named “VniFile.hlp” in the %ALLUSERSPROFILE%\mates\ directory can help identify affected systems.
Link(s):
https://cybersecuritynews.com/hackers-exploiting-vulnerabilities-in-ivanti-connect-secure/