Cybersecurity researchers revealed details of a new malware called mdifyloader This has been observed in conjunction with cyberattacks that exploit security flaws in Ivanti Connect Secure (ICS) appliances.
According to a report released today by JPCERT/CC, the threat actors behind the exploitation of CVE-2025-0282 and CVE-2025-22457 of intrusions observed between December 2024 and July 2025 weaponized the vulnerability that dropped MdifyLoader.
CVE-2025-0282 is a serious security flaw in ICS and could allow for unauthenticated remote code execution. It was addressed by Ivanti in early January 2025. CVE-2025-22457 patched in April 2025 is about stack-based buffer overflows that can be exploited to execute arbitrary code.
Both vulnerabilities have been weaponized in the wild as zero-days, but previous findings from JPCERT/CC in April revealed that the first of the two issues was abused to provide malware families such as SpawnChimera and Dslogdrat.
The latest analysis of attacks that include ICS vulnerabilities unearthed the use of DLL sideloading technology to launch MDifyLoader with encoded cobalt strike beacon payloads. The beacon has been identified as version 4.5 released in December 2021.
“MdifyLoader is a loader created based on the open source project LibpeCONV,” said Yuma Masubuchi, a researcher at JPCERT/CC. “MdifyLoader loads encrypted data files, decodes cobalt strike beacons and runs them in memory.”
It also uses a GO-based remote access tool called VSHELL and another open source network scanning utility written in GO called FSCAN. It is worth noting that both programs have been adopted by various Chinese hacking groups in recent months.
 |
| FSCAN execution flow |
It is known that FSCAN is run by a loader that launches using DLL sideloads. The Rogue DLL Loader is based on the open source tool FilelessRemotepe.
“The VSHELL used has the ability to check if the system language is set to Chinese,” JPCERT/CC said. “It was confirmed that the attacker repeatedly fails to run VSHELL and tries to run it again each time he installs a new version and tries to run it. This behavior suggests that a language check function, which is likely intended for internal testing, was enabled during deployment.”
Once they gained foothold on the internal network, the attackers reportedly implemented brute force attacks on FTP, MS-SQL and SSH servers, extracted credentials and exploited EternalBlue SMB Exploit (MS17-010) to traverse the network.
“Attackers create new domain accounts, add them to existing groups, and allow them to retain access even if previously acquired credentials are revoked,” says Masubuchi.
“These accounts blend in with normal operations and allow long-term access to the internal network. Additionally, attackers have registered malware as a service or task scheduler to maintain persistence and run on system startups or specific event triggers.”
