SPAWN
SPAWN is a malware ecosystem/suite associated with China-nexus cyber espionage activity and attributed in reporting to clusters including UNC5221; separate reporting also states UNC5337 exploited Ivanti Connect Secure CVE-2025-0282 as a zero-day to deliver the SPAWN ecosystem. It has been observed in intrusions involving Ivanti Connect Secure edge devices, including exploitation of CVE-2025-22457 and CVE-2025-0282. Reporting describes SPAWN as a previously reported malware suite used in operations against compromised Ivanti appliances, with TeamT5 linking intrusions across at least 170 Ivanti Connect Secure devices in 25 regions to the SPAWN suite. Known components and related variants mentioned in the content include SPAWNSLOTH, a log-tampering component tied to the SPAWNSNAIL backdoor that targets dslogserver to disable local logging and remote syslog forwarding; SPAWNSNARE, a Linux utility written in C that extracts an uncompressed Linux kernel image (vmlinux) and encrypts it using AES without command-line tools; SPAWNWAVE, an evolved version of SPAWNANT that combines capabilities from other SPAWN components and overlaps with SPAWNCHIMERA and RESURGE; and additional SPAWN-related malware including TextDoor and DebtTheft. Updated SPAWN variants SPAWNCHIMERA and RESURGE were also reported by JPCERT/CC and CISA. The malware suite is tied to post-compromise activity on edge devices and has been deployed alongside other malware families such as TRAILBLAZE and BRUSHFIRE in UNC5221 operations. High-confidence targeting context in the content centers on edge/network appliances, especially Ivanti Connect Secure devices, with regional victim concentrations reported in Japan, Taiwan, South Korea, and the United States.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The actor also deployed components of their previously reported SPAWN malware ecosystem. | Mandiant (part of Google Cloud) is releasing details on active exploitation of a critical buffer overflow vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (ICS) VPN appliances (versions 22.7R2.5 and earlier). We identified the suspected China-nexus espionage actor UNC5221 exploiting this flaw in the wild for remote code execution in their operations, dating back to mid-March.
However, the shortcoming has been exploited as a zero-day by a China-nexus cyber espionage group dubbed UNC5337 to deliver the SPAWN ecosystem of malware... | "...installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024..."; "CVE-2025-0282 refers to a critical security flaw in ICS that could allow unauthenticated remote code execution. It was addressed by Ivanti in early January 2025."
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
It's suspected that PhiliKit is deployed as part of the SPAWN malware suite used by the Chinese hacking group in the past.
However, the shortcoming has been exploited as a zero-day by a China-nexus cyber espionage group dubbed UNC5337 to deliver the SPAWN ecosystem of malware...
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueOn VirusTotal we found PhiliKit, a new implant that we assess to be part of UNC5221’s SPAWN toolset targeting Ivanti VPN appliances
Execution
1 techniqueWe identified the suspected China-nexus espionage actor UNC5221 exploiting this flaw in the wild for remote code execution in their operations, dating back to mid-March.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware suite previously used by UNC5221 and suspected to include deployment of PhiliKit.
Malware suite used in Ivanti Connect Secure intrusions to establish persistence and support follow-on actions.
Malware ecosystem delivered via exploitation of Ivanti Connect Secure vulnerabilities; later observed in updated variants and used in campaigns attributed to China-nexus threat actors.
A previously reported malware ecosystem whose components were deployed by the threat actor in this campaign.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.