Two recently patched vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) have been exploited by a Chinese cyber espionage group, UNC5221, affecting numerous industries across Europe, North America, and the Asia-Pacific. The vulnerabilities, which could execute arbitrary code without authentication, were addressed by Ivanti last week. This group demonstrates adept skills by repurposing legitimate EPMM components for data theft, raising concerns as these attacks could potentially compromise thousands of mobile devices within organizations. Exploitation activity has reportedly identified targets in sectors like healthcare, finance, and defense.
"UNC5221 demonstrates a deep understanding of EPMM's internal architecture, repurposing legitimate system components for covert data exfiltration," security researcher Arda Büyükkaya said.
"Given EPMM's role in managing and pushing configurations to enterprise mobile devices, a successful exploitation could allow threat actors to remotely access, manipulate, or compromise thousands of managed devices across an organization."
The earliest exploitation activity dates back to May 15, 2025, with the attacks targeting healthcare, telecommunications, aviation, municipal government, finance, and defense sectors.
This is followed by the deployment of KrustyLoader, a known Rust-based loader attributed to UNC5221 that enables the delivery of additional payloads like Sliver.
Collection
[
|
...
]