The American Cyber Security and Infrastructure Security Agency (CISA) has published analysis of malware deployed in the attacks exploiting the weaknesses affecting the Evanti and Point Manager Mobile (EPMM).
Falls EPMM’s API component (CVE-2025-4427) and a code injection vulnerability (CVE-2025-4428) are a certification bypass that allows execution of arbitrary code.
The two weaknesses influence the following EPMM development branches and their first release: 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0.
Ivanti addressed the issues on 13 May, but the danger actors were already exploiting him as zero days in attacks against “a very limited number of customers”.
About a week later, the Threat Intelligence Platform Eclectician reported with high confidence that the China-Nexus spy group had been taking advantage of two weaknesses from at least 15 May.
Researchers said that the threats related to China, Evanti, are very knowledgeable about the internal architecture of EPMM, who are capable of reproducing the system components to exfiltrate data.
The CISA report, however, does not make any attention and focus only on the technical details of malicious files obtained from the organization attacked by dangerous actors using an exploitation chain for CVE-2025-4427 and CVE-2025-4428.
Divided malware distribution
The US agency analyzed two sets of malware that included five files, which hackers used to achieve the initial access to the on-primeses EPMM system.
“Cyber threat actors targeted /mifs/rs/api/v2/ Get and use endpoint with http and used Format = Parameter to send malicious remote commands, “CISA They say,
Commands Threat actor lets the actor collect the system information, lie the root directory, map the network, obtain malicious files, and remove the linked activity by removing the lightweight directory access protocol (LDAP) credentials.
Each of the analyzed malware sets included a separate loader but with the same name, And malicious listeners who allow to inject the compromise system and run arbitrary code:
- Set 1,
- web-instell.jar (Loader 1)
- Reluptuptil.class – Includes on Lodar 1, Java manipulates objects to inject and manage malicious listeners in the set.
- Securityhandlerwanlister.Class – malicious listener who can be used to inject and execute the code on the server, to exfiltrate data, and to establish firmness
- Set 2,
- web-instell.jar (Loader 2)
- Webandroidappinstaller.class – A malicious listener in Lodar 2, that the danger can use to inject and execute the actor code, create firmness and exfiltrate data
According to CISA, the danger actor gave the base to the base 64-Encoded Chunks, fragmenting the malware through different HTTP GET requests.
Two separate malware sets function equally, stopping the specific HTTP requests to decod and run the payload provided by the attackers.
The CISA has provided detailed indicators of the Agreement (IOCS), Yara Rules and a Sigma Rules to help detect such attacks.
The agency recommendation for companies that find analyzed on their systems or uniform files, isolate the affected host, collect and review artworks and create a full forensic disc image to review and share with CISA.
As a mitigation action, the CISA immediately affects the affected Ivanti EPMM and considers the mobile device management (MDM) system as high-value assets (HVAS), which requires additional safety restrictions and monitoring.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
