SPAWNCHIMERA
SPAWNCHIMERA is a backdoor that supports command and control and can inject malicious components into native processes.[1][2][3] SPAWNCHIMERA It incorporates capabilities from multiple tools within the SPAWN malware family, including SPAWNANT, SPAWNMOLE, and SPAWNSNAIL.[4][2][3] SPAWNCHIMERA was first reported in April 2024.[2] SPAWNCHIMERA has been observed in activity attributed to People's Republic of China (PRC) state-sponsored threat actors, including UNC5221..[4][5][2][6]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1037 | Boot or Logon Initialization Scripts |
SPAWNCHIMERA has modified the boot process files within |
|
| Enterprise | T1059 | .006 | Command and Scripting Interpreter: Python |
SPAWNCHIMERA has searched the contents of two Python files scanner.py and scanner_legacy.py by searching for specific lines and replacing them with values that reduce their ability to track mismatches or new files.[1] |
| Enterprise | T1005 | Data from Local System |
SPAWNCHIMERA has extracted the device’s Linux kernel image (vmlinux).[1][5][6] |
|
| Enterprise | T1678 | Delay Execution |
SPAWNCHIMERA has used delayed execution to pause for a defined interval before performing environment discovery, repeatedly checking for specific processes, such as the |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
SPAWNCHIMERA has decoded a XOR encoded private key.[3] |
|
| Enterprise | T1685 | Disable or Modify Tools |
SPAWNCHIMERA has modified the Ivanti Integrity Checker Tool to evade detection.[1][6] |
|
| Enterprise | T1480 | .002 | Execution Guardrails: Mutual Exclusion |
SPAWNCHIMERA has fixed a buffer overflow vulnerability (CVE-2025-0282) by hooking the strncpy function and limiting the size to 256 to prevent other actors from leveraging the exploit.[3] SPAWNCHIMERA has converted its process name to hexadecimal and verifies an added value which is triggered when the first byte of the source copied to the fixed strncpy function matches |
| Enterprise | T1574 | Hijack Execution Flow |
SPAWNCHIMERA can persist across system upgrades by hijacking the execution flow of dspkginstall, a binary used during the system upgrade process.[4][2] |
|
| .006 | Dynamic Linker Hijacking |
SPAWNCHIMERA has been compiled as a Position Independent Executable (PIE) to use a third-party library for injection.[2] |
||
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
SPAWNCHIMERA has deleted generated files and folders from victim devices.[1] |
| .006 | Indicator Removal: Timestomp |
SPAWNCHIMERA has updated the timestamp using the |
||
| Enterprise | T1559 | Inter-Process Communication |
SPAWNCHIMERA has leveraged IPC using a UNIX domain socket between the dsmdm process and the web process.[2][3] |
|
| Enterprise | T1040 | Network Sniffing |
SPAWNCHIMERA has monitored and filtered network traffic on compromised edge devices, allowing legitimate traffic to pass while redirecting attacker-controlled traffic to infrastructure under adversary control. [4][2] |
|
| Enterprise | T1571 | Non-Standard Port |
SPAWNCHIMERA has the ability to bind on a localhost and listen on port 8300.[2][3] |
|
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
SPAWNCHIMERA has encoded a private key with XOR.[3] SPAWNCHIMERA has also encrypted data to be extracted using AES encryption.[5][6] |
| Enterprise | T1690 | Prevent Command History Logging |
SPAWNCHIMERA has disabled logging and log forwarding on Ivanti devices targeting the |
|
| Enterprise | T1057 | Process Discovery |
SPAWNCHIMERA has searched for running processes to include web or dsmdm.[1][2] |
|
| Enterprise | T1055 | .002 | Process Injection: Portable Executable Injection |
SPAWNCHIMERA has executed only in memory and hooked itself into existing processes on the victim device to include the web process.[1][2][3] |
| Enterprise | T1572 | Protocol Tunneling |
SPAWNCHIMERA has created SSH tunnels to facilitate C2 communications.[1][4][2] |
|
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
SPAWNCHIMERA has created web shells that facilitate actions on the victim host.[1] |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
SPAWNCHIMERA has checked where SELinux is enabled on the targeted host.[2] |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
SPAWNCHIMERA has generated RSA keys against modified files to sign the manifest file, so they appear legitimate.[1][4] |
| Enterprise | T1082 | System Information Discovery |
SPAWNCHIMERA has obtained system information such as release, uptime, and current time.[2] |
|
References
- DHS/CISA. (2026, February 26). MAR-25993211-r1.v2 Ivanti Connect Secure (RESURGE): AR25-087A. Retrieved April 17, 2026.
- Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Crew, Billy Wong, Tyler McLellan. (2024, April 4). Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies. Retrieved April 16, 2026.
- Yuma Masubuchi. (2025, February 20). SPAWNCHIMERA Malware: The Chimera Spawning from Ivanti Connect Secure Vulnerability. Retrieved April 17, 2026.
- John Wolfram, Josh Murchie, Matt Lin, Daniel Ainsworth, Robert Wallace, Dimiter Andonov, Dhanesh Kizhakkinan, Jacob Thompson. (2025, January 8). Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation. Retrieved April 14, 2026.
- John Wolfram, Michael Edie, Jacob Thompson, Matt Lin, Josh Murchie. (2025, April 3). Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457). Retrieved April 13, 2026.
- Sila Ozeren Hacioglu. (2025, May 5). UNC5221’s Latest Exploit: Weaponizing CVE-2025-22457 in Ivanti Connect Secure. Retrieved April 13, 2026.