A newly published report by Yuma Masubuchi from the JPCERT Coordination Center (JPCERT/CC) has uncovered the deployment of a stealthy remote access trojan dubbed DslogdRAT, which was installed on compromised Ivanti Connect Secure devices by exploiting a zero-day vulnerability tracked as CVE-2025-0282. The attacks took place in December 2024 and primarily targeted organizations in Japan.
Attackers first deployed a Perl-based web shell to execute arbitrary commands on the infected system. This lightweight backdoor operated as a CGI script and checked for a specific cookie value, DSAUTOKEN=af95380019083db5, before processing commands.
“It is considered that attackers accessed this simple web shell to execute commands to run malware such as DslogdRAT,” according to JPCERT/CC.
Once triggered, DslogdRAT exhibits a multi-stage process flow to evade detection. The main process spawns a child process that decodes configuration data and initiates a second core process. The malware’s architecture ensures that a persistent parent process remains active with intermittent sleep intervals to avoid termination.
“The second child process contains DslogdRAT core functionality, which includes: Initiate communication with the C2 server… and execution of various commands.”
DslogdRAT communicates with its Command-and-Control (C2) server via sockets using a custom XOR-based encoding scheme. The encoded communication includes system fingerprints and follows a specific format outlined in the report.
- The RAT supports the following key capabilities:
- File upload and download
- Shell command execution
- Proxy functionality
This enables threat actors to maintain control over the infected system and use it as a foothold for further intrusion.
JPCERT/CC analysis revealed that DslogdRAT is programmed to operate only between 8:00 AM and 8:00 PM, staying dormant outside these hours to blend in with normal user activity.
“It is considered that attackers intended to avoid detection by communicating during business hours,” the report explains.
Alongside DslogdRAT, the SPAWNSNARE malware was also discovered on affected systems. While it’s currently unclear whether the two are part of the same campaign linked to UNC5221, the simultaneous presence of both malware types suggests coordination among advanced threat actors.