SPAWNCHIMERA
SPAWNCHIMERA is a SPAWN-family malware toolkit developed specifically for Ivanti Connect Secure / Ivanti VPN appliances. Reporting in the provided content links it to exploitation of Ivanti vulnerabilities including CVE-2025-0282 and CVE-2025-22457, with deployment observed from at least December 2024 through 2025. TeamT5 describes SPAWNCHIMERA as comprising modules including SPAWNANT (installer), SPAWNMOLE (SOCKS5 tunneler), SPAWNSNAIL (SSH backdoor), and SPAWNSLOTH (log wiper). The malware is associated in the content with suspected China-nexus espionage activity, including clusters tracked as UNC5337 and the broader UNC5221.
Capabilities directly mentioned in the content include surviving reboots, creating an SSH tunnel / covert SSH-based command-and-control path, port-knocking access, log tampering or wiping, and evasion through modification of the Ivanti Integrity Checker Tool. One cited sample/client accessed the SpawnChimera backdoor via port knocking, and another report states a SpawnChimera client tied to IP 203.234.192.200 used TLS ClientHello-based port knocking; that IP is identified in the content as belonging to The Hankyoreh newspaper in South Korea. Additional behavior mentioned includes use of the touch command to alter timestamps and generation of RSA keys to sign modified files so manifests appear legitimate.
The malware is described as targeting Ivanti Connect Secure appliances used by enterprises and government organizations, with victims across multiple countries and sectors including government, telecommunications, financial institutions, automotive, and chemical industries. Related reporting in the content notes overlap between SPAWNCHIMERA and later SPAWN-family variants such as RESURGE and SPAWNWAVE; RESURGE is explicitly described as building on SPAWNCHIMERA and sharing SSH-tunneling and reboot-persistence functionality while adding further commands.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Similarly, CVE-2025-22457 is also attributed to a stack-based buffer overflow weakness. This vulnerability impacts a range of Ivanti products, including Pulse Connect Secure 9.1x and Ivanti Connect Secure 22.7R2.5 and earlier... Ivanti released a patch for this vulnerability on February 11, 2025.
deliver updated versions of SPAWN called SPAWNCHIMERA and RESURGE. | "...installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024..."; "CVE-2025-0282 refers to a critical security flaw in ICS that could allow unauthenticated remote code execution. It was addressed by Ivanti in early January 2025."
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
----[ 2.7 Spawn Chimera and The Hankyoreh Drop Location: mnt/hgfs/Desktop/New folder/203.234.192.200_client.zip The client accesses the SpawnChimera backdoor via port knocking.
Mandiant ... reported that attackers began leveraging this vulnerability as early as mid-December, deploying the custom Spawn malware toolkit... TeamT5 reports that the threat actor used SPAWNCHIMERA, a malware toolkit developed specifically for Ivanti VPN appliances.
Mandiant ... reported that attackers began leveraging this vulnerability as early as mid-December, deploying the custom Spawn malware toolkit... TeamT5 reports that the threat actor used SPAWNCHIMERA, a malware toolkit developed specifically for Ivanti VPN appliances.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"...threat actors exploited Ivanti CVE-2025-0282 for initial access."
Execution
1 technique"The main attack vector is CVE-2025-0282, a stack-based buffer overflow vulnerability that affects Ivanti Connect Secure, Policy Secure, and ZTA Gateways."
Persistence
3 techniques“These commands: Create a web shell… Enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions.”
Stealth
5 techniquesThe content repeatedly describes adversaries using Base64, XOR, RC4, AES, hexadecimal encoding, string encryption, code flattening, custom crypters, and other obfuscation methods to hide payloads, strings, configuration data, URLs, and scripts.
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.
Defense Impairment
2 techniquesThe content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.
PHASEJAM 'has modified Ivanti Connect Secure appliances and blocks the system upgrades by altering the DSUpgrade.pm file'; SPAWNCHIMERA 'has modified the Ivanti Integrity Checker Tool to evade detection.'
Collection
1 techniqueThe content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
Command and Control
2 techniques"...RESURGE...creates a Secure Shell (SSH) tunnel for command and control (C2)."
Other
1 techniqueThe content repeatedly describes threat actors and malware disabling or modifying security tools, EDR/AV, logging, firewall rules, integrity checkers, and security settings; e.g., 'Agrius used several mechanisms to try to disable security tools' and 'BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.'
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A prior SPAWN-family malware with reboot-surviving persistence; described as the predecessor/base that RESURGE extends with additional commands and expanded capabilities.
Referenced as a related malware/tool with similar SSH-tunnel C2 behavior to RESURGE; no additional functional details provided in the content.
Referenced as a malware variant whose capabilities overlap with RESURGE (e.g., surviving reboots).
SPAWNCHIMERA is a malware family delivered via exploitation of Ivanti Connect Secure vulnerabilities. Specific functionality is not detailed in the content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.