The Cybersecurity and Infrastructure Security Agency published detailed recommendations on two malware versions that targeted the Ivanti Endpoint Manager Mobile. The detailed report can offer detection signatures and response (to the incident) guidelines to any organization to curb any instance of active threats against enterprise mobile device management platforms.
Access persistence is made possible by two sets of malware
CISA also received five malicious files from an organization where cyber threat actors were using CVE-2025-4427 and CVE-2025-4428 in Ivanti EPMM deployments as initial access. Six days later, the vulnerabilities, which Ivanti fixed on May 13, 2025, were listed in the Known Exploited Vulnerabilities Catalog by CISA. About May 15, 2025, after publication of a proof of concept, the cyber threat actors exploited these vulnerabilities in an effort to break into the server hosting EPMM by chaining them, CISA clarified in its analysis report:
“Around May 15, 2025, following publication of a proof of concept, the cyber threat actors gained access to the server running EPMM by chaining these vulnerabilities,” CISA explained in its analysis report.
The attackers targeted theย /mifs/rs/api/v2/ย endpoint with HTTP GET requests, using theย ?format=ย parameter to send malicious remote commands.
Advanced delivery mechanism and avoidance mechanisms
The relationships involved hijacked users used sophisticated methods to prevent detection whenever implementing the malware. They sent malware chunks discontinuously and have dissected loaders into multiple fragments, Base64-coded and sent over a variety of HTTP requests.
According to CISA, the cyber threat actors provided this malware in bits, whereby loadersย 1 and 2 were divided into several Base64-encoded chunks. Instead, a separate HTTP GET request was made to deliver each section, which in turn was injected with Java Expression Language (EL) used to write the chunk and concatenate them together with the help of the append mode.
Such a compartmentalization strategy is an avoidance strategy of defense, which allows malware to avoid signature recognition systems and size constraints when transferring. The hackers were able to exploit Java EL injection to rebuild the entire malware files in the /tmp directory.
Apache Tomcat is a victim of malicious listeners
The first malware set includes SecurityHandlerWanListener.class, which intercepts HTTP requests containing specific authentication markers. The listener checks for the string passย 7c6a8867d728c3bb, Header Nameย Referer, and Header Valueย https://www[.]live.comย before processing malicious payloads.
When matching requests are detected, the malware retrieves, decodes, and decrypts Base64-encoded payloads using Advanced Encryption Standard cipher objects.ย The decrypted data creates new Java class files that execute arbitrary code on the compromised system.
The second malware set features WebAndroidAppInstaller.class, which masquerades as part of theย com.mobileiron.serviceย package. This listener processes HTTP requests with specific content types, retrieving password parameters that are Base64 decoded and AES decrypted using the hard-coded keyย 3c6e0b8a9c15224a.
Detailed detection guidance has been offered
The signature of detection is used to address particular file features, such as they could be in-built strings, encryption keys, and/or specific behavioral patterns of each malware variant. The CISA site provides organizations with a chance to download indicators of compromise, detection rules, and the entire malware analysis report.
The agency proposes to treat the management systems in mobile devices as high-value assets that need further monitoring and limits. CISA recommends that organizations upgrade Ivanti EPMM to its newer versions as soon as possible and apply the given detection signatures. In the event of malware detection, the affected host should be quarantined, forensic evidence gathered, and the incident reported to the CISA 24/7 Operations Center.
The advanced technology of such malware highlights the current threat to enterprise mobile management systems. To combat these ongoing threats, companies need to ensure that they are patching, providing effective monitoring, and installing the detection instructions that are set to defend against such attacks in the future.