SPAWNANT
SPAWNANT is a custom malware component in the SPAWN / SPAWNCHIMERA malware ecosystem used in intrusions against Ivanti Connect Secure VPN appliances. It is specifically identified as the installer module of SPAWNCHIMERA. Reporting links its use to suspected China-nexus espionage activity, including UNC5221 and related clustering around UNC5337, in campaigns exploiting Ivanti zero-day and n-day vulnerabilities such as CVE-2025-0282 and CVE-2025-22457 for remote code execution on vulnerable edge devices. The broader SPAWNCHIMERA toolkit includes modules such as SPAWNMOLE (SOCKS5 tunneler), SPAWNSNAIL (SSH backdoor), and SPAWNSLOTH (log wiper / log-tampering component), indicating that SPAWNANT functions as the installation component for a post-exploitation toolkit supporting persistence, tunneling, backdoor access, and anti-forensics on compromised Ivanti appliances. UNC5221 is described as targeting government agencies and was also associated with attacks affecting organizations across multiple countries and industries, including government, financial institutions, telecommunications, automotive, and chemical sectors. The content also states that SPAWNWAVE is an evolved version of SPAWNANT that combines capabilities from other members of the SPAWN malware ecosystem. No standalone indicators of compromise specific to SPAWNANT are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
It includes multiple modules with diverse capabilities: SPAWNANT: Installer
It includes multiple modules with diverse capabilities: SPAWNANT: Installer
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
UNC5221 ... known for exploiting Ivanti zero-days to target government agencies with custom Spawnant and Zipline malware.
It includes multiple modules with diverse capabilities: SPAWNANT: Installer
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom malware attributed to UNC5221, used in operations exploiting Ivanti zero-days against government agencies.
Custom malware used by UNC5221 in campaigns exploiting Ivanti zero-days against government agencies (functionality not described in the content).
Custom malware associated with UNC5221 activity, referenced in the context of Ivanti zero-day exploitation against government agencies.
Custom malware associated with UNC5221 activity, referenced in the context of Ivanti zero-day exploitation against government agencies.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.