By rssfeeds-admin 
The attackers leveraged the flaws CVE-2024-21893 and CVE-2024-21887 to penetrate networks of Japanese shipping and transportation companies, deploying sophisticated PlugX variants named MetaRAT and Talisman PlugX.
The attack began with the exploitation of Ivanti ICS devices, leaving behind indicators such as critical error logs (ERR31093) and malware-related file traces consistent with those observed in previous Mandiant-analyzed campaigns.
Once inside the network, the attackers used harvested credentials, including privileged Active Directory accounts, to move laterally and install malware on multiple internal servers.
This activity is part of an ongoing PlugX evolution observed since 2008, with the newer MetaRAT variant showcasing significant advancements in stealth, obfuscation, and communication methods.
MetaRAT and Talisman Variants Show Advanced Evolution
MetaRAT, a modern PlugX variant written in C/C++, has been active since at least 2022 and was used extensively in the 2025 attacks.
It employs DLL side-loading via a loader file (mytilus3.dll) and an encrypted payload (“materoll”), which activates Reflective Loading to inject the RAT directly into memory.
The shellcode uses sophisticated techniques, including AES-256-ECB encryption, API hashing (ror7AddHash32), and anti-debugging measures that destroy cryptographic keys if analysis is detected.
Once executed, MetaRAT supports multiple C2 communication protocols, including TCP, HTTPS, and ICMP, and disguises its traffic with request URIs resembling JavaScript or CSS files while embedding unique identifiers like “Cookie-Yaga” and “Cookie-Nguy”.
It can perform keylogging, command execution, configuration updates, and port tunneling via modular plugins such as KeylogDump and PortMap.
The Talisman PlugX variant, first reported by Trellix in 2022, was also deployed in this campaign.
It mirrors MetaRAT’s architecture, using DLL side-loading and encrypted payloads, but retains its own distinct header signatures (previously 0xCF455089). Analysts believe small header changes were implemented to evade modern security detections.
LAC’s findings suggest that multiple Chinese state-linked groups, including Space Pirates, Calypso, and possibly RedFoxtrot, were behind this campaign, given overlaps in infrastructure and code similarities with RAT families such as RainyDay and Turian.
Although no evidence of data theft has been confirmed, the attackers appear to focus on credential harvesting, implying preparation for sustained or future access.
LAC advises organizations to patch vulnerable ICS systems, monitor for artifacts such as the file VniFile.hlp and the registry key matesile, and use the supplied YARA, Sigma, and Snort rules to detect MetaRAT indicators.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Hackers Deploy MetaRAT Malware Through Ivanti Connect Secure Vulnerabilities appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.