China hacks finance via VPNs

A China-linked advanced persistent threat (APT) group is exploiting critical vulnerabilities in Ivanti Connect Secure VPN appliances to infiltrate organizations. This is across multiple countries and industries, cybersecurity firms. The campaign, which began in late March 2025, leverages CVE-2025-0282 and CVE-2025-22457, both stack-based buffer overflow flaws with maximum CVSS scores of 9.0, to deploy malware and establish persistent network access.

The attacks have impacted entities in the UK, the U.S, Austria, Australia, France, Spain, Japan, South Korea, the Netherlands, Singapore, Taiwan and the UAE. Targeted industries include government agencies, financial institutions, telecommunications, law firms, and intergovernmental organizations, indicating a broad scope with a focus on high-value sectors critical to the global economy.

Implications for financial infrastructure

The APT group, assessed by Mandiant as UNC5221 and linked to Chinese state interests, is weaponizing the Ivanti vulnerabilities to achieve unauthenticated remote code execution (RCE). Once inside, the attackers deploy the SPAWNCHIMERA malware suite, tailored explicitly for Ivanti appliances. Key components of this suite include:

• SPAWNANT: A stealthy installer that bypasses integrity checks.

• SPAWNMOLE: A SOCKS5 proxy for tunneling traffic.

• SPAWNSNAIL: An SSH backdoor for persistent access.

• SPAWNSLOTH: A log-wiping tool to erase forensic evidence.

The malware’s dynamic patching capability allows it to modify vulnerable Ivanti components in memory, ensuring continued exploitation even after patches are applied. Security analysts have confirmed the exploitability of these vulnerabilities, noting that CVE-2025-22457, initially seen as a low-risk denial-of-service bug, was later weaponized for RCE.

Widespread impact and slow remediation

Since April 2025, mass exploitation attempts have caused instability in many Ivanti VPN appliances, with failed attacks leading to widespread service disruptions. Despite Ivanti’s patches released in February, thousands of devices remain unpatched due to slow enterprise remediation efforts. This slow response within the finance sector increases the risk of significant data breaches, financial losses, and damage to customer trust.

The sophistication of the SPAWNCHIMERA toolkit reflects a growing focus on cyber espionage by state-affiliated actors. TeamT5 urges affected organizations to take immediate action:

• Apply Ivanti’s version 22.7R2.5 patches immediately.

• Conduct full network forensic analyses to identify dormant malware.

• Reset VPN appliances and revoke credentials exposed during breaches.

CISA’s involvement and long-term implications

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to patch Ivanti vulnerabilities, highlighting the severity of the threat. However, the slow pace of patching and the scale of the compromise – with over 1,700 devices affected globally – suggest that the operational fallout could persist for years. For the finance sector, this could mean prolonged instability, increased regulatory scrutiny, and the potential for systemic risk.

“The attackers mapped critical infrastructure, suggesting preparations for future disruptive operations,” warns one analyst. This incident underscores the urgent need for proactive vulnerability management, robust third-party risk management, cross-sector threat intelligence sharing within the financial industry, and heightened vigilance in the face of escalating geopolitical tensions.