Friday, May 9, 2025
Homecyber securitySPAWNCHIMERA Malware Exploits Ivanti Buffer Overflow Vulnerability by Applying a Critical Fix

SPAWNCHIMERA Malware Exploits Ivanti Buffer Overflow Vulnerability by Applying a Critical Fix

Published on

SIEM as a Service

Follow Us on Google News

In a recent development, the SPAWNCHIMERA malware family has been identified exploiting the buffer overflow vulnerability CVE-2025-0282 in Ivanti Connect Secure, as confirmed by JPCERT/CC.

This vulnerability, disclosed in January 2025, had already been actively exploited since late December 2024, prior to its public announcement.

The malware, an evolved variant of the SPAWN family, integrates multiple advanced features to enhance its functionality and evade detection.

- Advertisement - Google News

Exploitation and Dynamic Vulnerability Fixing

SPAWNCHIMERA introduces a unique capability to dynamically patch the CVE-2025-0282 vulnerability.

SPAWNCHIMERA Malware
Flow of SPAWNCHIMERA’s behavior.

This buffer overflow issue stems from improper use of the strncpy function.

The malware mitigates this flaw by hooking the function and restricting the copy size to 256 bytes.

This fix is triggered only when specific conditions are met, such as when the process name is “web.”

Notably, this mechanism not only prevents exploitation by other attackers but also blocks penetration attempts using proof-of-concept (PoC) tools designed to scan for this vulnerability.

Enhanced Stealth Through Inter-Process Communication Changes

The malware has shifted its inter-process communication method from using local port 8300 to UNIX domain sockets.

Malicious traffic is now routed between processes via a hidden path (/home/runtime/tmp/.logsrv), making it significantly harder to detect using standard network monitoring tools like netstat.

According to JPCERT Report, this modification reflects SPAWNCHIMERA’s focus on evading detection while maintaining robust functionality.

SPAWNCHIMERA further obfuscates its activities by encoding its SSH private key within the malware sample itself.

The key is decoded dynamically using an XOR-based function during runtime, leaving minimal forensic traces.

Additionally, the malware has replaced hardcoded traffic identifiers with a calculation-based decode function to determine malicious traffic.

Debugging messages present in earlier versions have also been removed, complicating analysis efforts and reducing opportunities for detection during reverse engineering.

The integration of these advanced features demonstrates SPAWNCHIMERA’s evolution into a more sophisticated threat.

By combining exploitation capabilities with mitigation mechanisms like vulnerability fixing, the malware not only ensures its persistence but also disrupts competing threat actors’ efforts.

These changes highlight a growing trend where malware authors incorporate defensive techniques to secure their foothold within compromised systems.

Organizations using Ivanti Connect Secure are urged to apply vendor-provided patches immediately and monitor for signs of compromise.

Enhanced detection methods focusing on behavioral analysis rather than static signatures may be necessary to identify threats like SPAWNCHIMERA effectively.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known...

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows...

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known...

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows...

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...