Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families

Five distinct malware families have been used by suspected nation-state actors to exploit two zero-day vulnerabilities in Ivanti Connect Secure VPN appliances. The Google-owned threat intelligence firm, Mandiant is tracking the threat actor as UNC5221. Volexity suspects a Chinese espionage actor, UTA0178, could be behind the activity. Ivanti reported that less than ten customers were affected, suggesting a highly targeted campaign. UNC5221 remains unconnected to any known group or country.