Context
EclecticIQ has identified active exploitation of two critical vulnerabilities (CVE-2025-4427 and CVE-2025-4428) in Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier, allowing for unauthenticated remote code execution. This activity, attributed with high confidence to the China-nexus espionage group UNC5221, began on May 15, 2025, and targets critical sectors globally, including healthcare, telecommunications, and government. The threat actors exploit these vulnerabilities to exfiltrate sensitive data, such as PII, authentication credentials, and access tokens, by leveraging a deep understanding of EPMM’s architecture and repurposing legitimate system components. Ivanti has released patches, and immediate application of these updates is strongly advised to mitigate further compromise.
Community Impact
Retail and hospitality entities face significant exposure through the Ivanti EPMM vulnerability, as threat actors could exploit compromised mobile management platforms to access extensive customer data, payment infrastructure, and employee credentials. As such, Core Members are advised to maintain situational awareness around the exploitation of CVE-2025-4427 and CVE-2025-4428, review the intelligence included here, and ingest the indicators of compromise, provided below.
Analysis
UNC5221 starts their attack by exploiting vulnerabilities that allow them to run their own commands on Ivanti EPMM systems without needing to log in. They utilize a technique called Java Reflection to trick the system into executing their instructions. To maintain control, UNC5221 installs malware known as KrustyLoader, which is delivered from legitimate-looking Amazon S3 storage locations, which then secretly downloads and injects a more powerful backdoor called Sliver directly into the system’s memory, making it harder to detect.
Once inside, the attackers demonstrate their deep understanding of Ivanti EPMM by going straight for the mifs database. They exploit hardcoded login credentials to access crucial data, including details about managed mobile devices, user information, and even Office 365 login tokens. This data is then quietly moved out of the compromised system. The attackers also install a tool called FRP, which acts as a hidden tunnel into the internal network, allowing them to scout for other vulnerable systems and move deeper into the organization.
Indicators of Compromise
EclecticIQ has provided the following indicators of compromise for recommended review and ingestion:
IP Addresses
- 103.244.88[.]125 – Used to host and deliver the FRP (Fast Reverse Proxy) binary.
- 27.25.148[.]183 – Hosted in China, reused from prior SAP NetWeaver exploitation campaigns attributed to UNC5221.
- 146.70.87[.]67:45020 – Associated with Auto-Color Linux backdoor command-and-control infrastructure.
- 124.223.202[.]90 – Hosted in China (Tencent Cloud); serves as the backend for the Yak Bridge service used to receive DNS callback traffic via ns1.cybertunnel[.]run.
KrustyLoader Samples
- 44c4a0d1826369993d1a2c4fcc00a86bf45723342cfd9f3a8b44b673eee6733a
- 7a4e0eb5fbab9709c8f42beb322a5dfefbc4ec5f914938a8862f8e26a31d30a5
- f34db4ea8ec3c2cbe53fde3d73229ccaa2a9e7168cd96d9a49bf89adef5ab47c
- 150ccd3b24a1b40630e46300100a3f810aa7a6badeb6806b59ed6ba7bafb7b21
Decrypted Sliver C2 Sample from KrustyLoader
- 29ae4fa86329bf6d0955020319b618d4c183d433830187b80979d392bf159768
Linux Bash Script Used to Dump MySQL Database
- 64764ffe4b1e4fc5b9fe27b513e02f0392f659c4e033d23a4ba7a3b7f20c6d30
- b422645db18e95aa0b4daaf5277417b73322bed306f42385ecfd6d49be26bfab
Malicious Domains
Used to deliver KrustyLoader payloads:
- openrbf[.]s3[.]amazonaws[.]com
- tnegadge[.]s3[.]amazonaws[.]com
- fconnect[.]s3.amazonaws[.]com
- trkbucket[.]s3[.]amazonaws[.]com
- the-mentor[.]s3[.]amazonaws[.]com
- tkshopqd[.]s3[.]amazonaws[.]com
Staging URL for encrypted Sliver backdoor:
- http[:]//abbeglasses.s3.amazonaws[.]com/dSn9tM
Pastebin-style hosting for malicious script:
- https[:]//dpaste[.]com/9MQEJ6VYR.txt
Used to verify successful RCE via DNS callback:
- ns1[.]cybertunnel[.]run – Functions as a nameserver (NS) for the dnstunnel[.]run DNSLog system, used in DNS tunnelling operations associated with the Yaklang/Yakit toolset.
