A highly sophisticated cyber espionage campaign, dubbed as OPERATION ENDTRADE, is leveraging recently-discovered Ivanti Mobile Manager (EPMM) vulnerabilities to attack various companies all around the globe.
The campaign started sometime around May 15, 2025, and has affected entities within the telecommunications, healthcare, government, defense, finance, and aviation sectors of North America, Europe, and the Asia-Pacific region.
The attackers have exploited two medium to high severity vulnerabilities, tracked as CVE-2025-4427, and CVE-2025-4428; chaining them together enables unauthenticated RCE on vulnerable Ivanti EPMM installations. These weaknesses affect third-party libraries included in the EPMM product.
The mindset here being to get an interactive rs here in the initial access, so let’s start by following the first endpoint to grab an interactive reverse shell, and from there execute arbitrary commands.
After the initial compromise, UNC5221 is known to use the KrustyLoader malware to provide the ability to deploy additional payloads, such as the Sliver backdoor. Attackers have also taken advantage of EPMM system files containing hard-coded MySQL database credentials to break into the ‘mifs’ database.
This level of access enables them to steal valuable information such as PII, credentials and data on managed mobile devices and LDAP users for use in attacks and espionage.
EclecticIQ researchers have found the reuse of infrastructure and TTPs that align with previous activities associated with UNC5221 which has strengthened the link to Chinese state-sponsored cyber operations further.
The gang has also been spotted weaponizing the open-source Fast Reverse Proxy (FRP) to gain persistent access and enable network reconnaissance and lateral movement on infected networks. Obfuscated shell commands are used for reconnaissance and to remove evidence, possibly exfiltrating data using HTTP GET requests, prior to wiping mauveine artifacts.
Additionally, a command-and-control (C2) server known to be related to the Auto-Color backdoor, which was also associated with campaigns against universities and government entities, has been found to be communicating with compromised Ivanti EPMM servers. That only reenforces the attribution to a China-nexus threat actor.
The Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2025-4427 and CVE-2025-4428 in its Known Exploited Vulnerabilities list, and is urging organizations to apply the fixes provided by Ivanti on May 13, 2025, as soon as possible.
That so many abuses of these vulnerabilities are taking place in the wild is an indication to organisations using Ivanti EPMM to prioritise patching and defend against the continuing threat of espionage.
Security researchers note that the implications of a successful exploitation are large considering EPMM’s position as administrator for various aspects of enterprise mobile device configuration and management, potentially giving attackers remote access and control to thousands of devices within an organization.
![Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]](https://sumtrix.com/wp-content/uploads/2025/06/30-12-120x86.jpg "Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]")
