Chinese hackers are believed to be exploiting a zero-day flaw in Ivanti VPN devices, according to Mandiant researchers. The malware campaign was initially disclosed by Google’s Mandiant security division and includes the SPAWNANT installer, SPAWNMOLE tunneller, and SPAWNSNAIL SSH backdoor. Mandiant expects the cyber espionage, conducted by UNC5337 and UNC5221, to continue across numerous countries and sectors.

Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457)
A suspected Chinese advanced persistent threat (APT) group exploited CVE-2025-22457, a previously unexploitable buffer overflow bug, to compromise devices running Ivanti Connect Secure (ICS) and