CISA reveals new malware variant used on compromised Ivanti Connect Secure devices

The Cybersecurity and Infrastructure Security Agency (CISA) recently revealed the discovery of a new malware variant used on compromised Ivanti Connect Secure (previously known as Pulse Secure) devices.

According to a report by the agency, this malware variant was leveraged by cyber attackers exploiting a zero-day vulnerability (CVE-2025-0282) on Ivanti Connect Secure VPN appliances in late 2024.

Cyber Attacks and CVE-2025-0282

CVE-2025-0282 is a security vulnerability that had allowed unauthorized attackers to gain administrative privileges on vulnerable Ivanti Connect Secure appliances.

These attackers used this vulnerability to install this new, and now detected, malware variant on compromised devices, further enabling them to collect credentials, bypass authentication mechanisms, and conduct malicious activities.

The New Malware Variant

CISA along with its cyber threat partners identified this new malware variant while conducting threat hunting on breached Ivanti Connect Secure devices.

The malware variant appears to be complex and stealthy, with advanced features that allow for persistence, information harvesting, and remote control of the compromised device.

The specific technical details of this malware variant are still under examination.

Indicators of Compromise and Detection Signatures

The agency has, however, released the indicators of compromise (IoCs) and detection signatures for this new malware variant.

These IoCs and signatures can be used by cybersecurity professionals to identify infected devices, and to formulate defensive mitigation strategies.

The Updated Mitigation Instructions

In light of this recent discovery, CISA has updated its mitigation advice, emphasizing the importance of factory resetting all Ivanti Connect Secure appliances, even those on which no evidence of compromise has been found during threat hunting.

This precautionary measure is necessary because the malware variant’s stealthiness and persistent nature ensures its undetectability through usual threat hunting methods.

For devices present in a cloud-based virtual environment, the agency also recommends a complete factory reset.

Post-reset, all devices must be patched with the latest security updates to prevent future compromises.

Undoubtedly, this development underscores the ever-evolving tactics and sophistication of cyber attackers, and the importance of regular threat hunting, updating security patches, and being vigilant about potential vulnerabilities on all enterprise devices.

Follow-Up Reading

For more information on this topic and related subjects, please refer to these reliable resources:

• CISA Alerts and Advisories
• Understanding Zero-Day Vulnerability
• Understanding Indicators of Compromise (IoCs)