West Houston, TX – April 25, 2025 — A newly discovered malware known as DslogdRAT is being deployed through a critical vulnerability in Ivanti Connect Secure (ICS), and Impress IT Solutions in West Houston is issuing a warning to local businesses that may be at risk.
The flaw, CVE-2025-0282, was a zero-day vulnerability exploited in late 2024 before being patched by Ivanti in January 2025. Cybersecurity researchers have now confirmed that the flaw has been used in targeted attacks to install web shells and remote access malware, including DslogdRAT.
“If your organization uses Ivanti ICS and hasn’t patched or audited for signs of compromise, you could be exposed to serious risk,” said the cybersecurity team at Impress IT Solutions. “This type of malware gives attackers complete control over a device.”
What Is DslogdRAT and Why Is It Dangerous?
After exploiting the Ivanti flaw, attackers deploy a Perl-based web shell, which then acts as a bridge to drop DslogdRAT and other malicious payloads. Once installed, DslogdRAT:
- Connects to an external server to exfiltrate system info
- Can execute shell commands remotely
- Upload or download files at will
- Turn infected machines into proxies for future attacks
This malware is stealthy, capable, and persistent—making it especially dangerous for businesses with sensitive internal systems or remote access portals.
Who’s Behind It?
The initial exploitation of the Ivanti zero-day has been linked to Chinese cyber espionage groups like UNC5337 and UNC5221, who have also been using malware variants like SPAWN, DRYHOOK, PHASEJAM, and SPAWNCHIMERA.
While it’s still unclear whether DslogdRAT is part of the same campaign, the tactics and delivery method are strikingly similar—and the risk remains high for any business running outdated or misconfigured ICS appliances.
What Should West Houston Businesses Do?
Impress IT Solutions is already assisting businesses across the region with urgent patching, vulnerability assessments, and post-breach detection efforts.
🔧 Here’s how we help:
✅ Patch Management & Version Auditing
We identify vulnerable Ivanti ICS appliances and ensure that CVE-2025-0282 and other related flaws are patched properly.
🔍 Compromise Detection & Web Shell Scanning
We scan for suspicious files, hidden web shells, and backdoors like DslogdRAT using behavior-based analysis and threat intelligence.
🛡️ Perimeter Hardening & Remote Access Security
We lock down vulnerable remote access features and apply firewall rules, MFA, and zero-trust policies to reduce attack surface.
📊 24/7 Monitoring & Threat Hunting
We actively monitor for command-and-control (C2) traffic, suspicious IPs, and unauthorized system activity from compromised machines.
The Bigger Picture: A Surge in Ivanti Scanning
According to threat intelligence sources, there has been a 9X spike in scanning activity targeting Ivanti ICS and Pulse Secure appliances, with over 1,000 unique IP addresses observed probing these devices in recent months. Many of these scans originate from TOR exit nodes or obscure hosting services—indicating organized reconnaissance efforts ahead of further exploitation.
“This is coordinated, global activity—and it’s coming for any business that hasn’t patched or locked down its perimeter,” said Impress IT. “But with the right tools and support, it’s preventable.”
Don’t Let a Zero-Day Become a Full Compromise
If your company uses Ivanti Connect Secure or any similar remote access solution, now is the time to ensure it’s secured. Even if you’ve applied patches, your system may still have lingering malware or unauthorized access points.
