Ivanti Connect Secure Vulnerability Exploited To Install SPAWNCHIMERA Malware

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.
Summary
Cyble Research and Intelligence Labs (CRIL) came across an article wherein security researchers have identified the exploitation of Ivanti Connect Secure vulnerability CVE-2025-0282 to install the updated version of the SPAWN family of malware known as SPAWNCHIMERA.
Exploiting CVE-2025-0282 could enable unauthenticated remote code execution in Ivanti Connect Secure, Policy Secure, and ZTA Gateways.
Technical Details
The malware SPAWNCHIMERA integrates updated functionalities from SPAWNANT, SPAWNMOLE, and SPAWNSNAIL. As a result, its installation and process injection methods remain largely consistent with previous SPAWN family malware.
SPAWNCHIMERA injects itself into multiple processes and operates within each one. Key modifications include:
● Changes to inter-process communication
● A feature that addresses the CVE-2025-0282 vulnerability
● Additional decoding functions
● Removal of debug messages

In previous versions of the SPAWN family, SPAWNMOLE would forward malicious traffic received on port 8300 of 127.0.0.1 while SPAWNSNAIL processed that traffic. However, this inter-process communication method has now been replaced with UNIX domain sockets.
The socket is created at a specific path, “/home/runtime/tmp/.logsrv”, and facilitates communication between instances of SPAWNCHIMERA injected into the web process and the dsmdm process. As a result of this change, malicious traffic may no longer appear in the netstat command output generated by the Integrity Checker Tool (ICT), making detection more challenging.
SPAWNCHIMERA includes a feature designed to mitigate the CVE-2025-0282 vulnerability. CVE- 2025-0282 is a buffer overflow issue caused by the strncpy function. To address this, SPAWNCHIMERA dynamically hooks the strncpy function and restricts the copy size to 256 bytes. Figure 2 illustrates the modified strncpy function.This fix is applied when the process name is "web," which is verified by converting it to hexadecimal and checking the added value. However, the fix is disabled if the first byte of the source being copied to strncpy matches 0x04050203. As a result, this function may prevent subsequent attackers from exploiting the vulnerability to gain access or execute proof-of-concept (PoC) code.

In earlier samples, the private key for the SSH server function was hard-coded in plain text within the malware and exported to /tmp/.dskey. However, in SPAWNCHIMERA, the key is embedded in an encoded form and decrypted using an XOR-based decoding function before use. Since the key is no longer written to a file, it leaves fewer traces. The decrypted private key is shown below.

Previously, samples identified malicious traffic by checking if a portion of the receiving buffer matched a hardcoded value in the modified accept function. However, in SPAWNCHIMERA, a new decoding function has been introduced, and the determination method now relies on the results of that function’s calculation.

The version of SPAWNSLOTH dropped by SPAWNCHIMERA remains functionally similar to previous iterations. However, all debug message-related functions have been removed from the sample, likely to hinder analysis and detection. This modification is also present in the SPAWNCHIMERA main body.

Conclusion
SPAWNCHIMERA has evolved into a more advanced malware variant by refining various functions of the SPAWN family, making it more challenging to detect and analyze. The modifications, including enhanced process injection, changes to inter-process communication, and the removal of debug messages, indicate a deliberate effort to reduce forensic traces. Given these advancements, it is likely that the SPAWN family of malware will continue to be actively used and further developed, posing an ongoing threat to targeted systems. Continuous monitoring and adaptive defense strategies will be essential to mitigate its impact.
Recommendation
We have listed some essential cybersecurity best practices that create the first line of control
against attackers. We recommend that our readers follow the best practices given below:
● Apply security patches promptly, especially for vulnerabilities like CVE-2025-0282, which SPAWNCHIMERA attempts to exploit.
● Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
● Ensure all software, including operating systems and third-party applications, is up to date.
● Monitor and restrict unnecessary inter-process communication, especially UNIX domain sockets that could be abused for stealthy data transfer.
● Use firewalls and intrusion detection/prevention systems (IDS/IPS) to detect suspicious traffic patterns.
● Deploy advanced endpoint detection and response (EDR) solutions to identify abnormal behaviors, such as unauthorized process injections.
● Regularly rotate SSH private keys and avoid storing them in predictable locations.
● Enable detailed system logging to capture process injection attempts and privilege escalations.
● Perform regular security assessments to identify and mitigate vulnerabilities before attackers exploit them.





