Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
China-based threat actors infiltrated Japanese shipping and transportation networks in April 2025 by exploiting two critical Ivanti Connect Secure vulnerabilities, CVE-2024-21893 and CVE-2024-21887, which allowed them to bypass defenses and establish silent footholds across corporate infrastructure. Using these Ivanti Connect Secure flaws, the Chinese attackers moved from initial access to deeper network reconnaissance, stole privileged credentials, and deployed advanced PlugX malware variants including MetaRAT and Talisman PlugX across internal Windows servers. The Japanese shipping attack operation combined stealthy DLL side-loading techniques, encrypted malware payloads, and persistent backdoor access capabilities, reflecting a well-practiced, multi-stage intrusion campaign designed not for immediate data theft but for long-term espionage operations and future re-entry into Japanese transportation networks. During forensic investigation of the Japanese shipping breach, security researchers uncovered several lightweight malware implants including LITTLELAMB, WOOLTEA, PITSOCK, and PITFUEL, all flagged by Ivanti’s Integrity Checker Tool (ICT), alongside critical ERR31093 error logs linked to malicious SAML payloads that provided clear indicators of the initial Ivanti Connect Secure exploitation. The PlugX malware variants deployed in this Japanese shipping attack campaign, particularly MetaRAT and Talisman PlugX, represent the continued evolution of this long-running remote access Trojan used by China-aligned espionage groups such as Calypso, Mustang Panda, and APT10 since 2008, with both variants exhibiting enhanced obfuscation, modularity, refined encryption routines supporting TCP, UDP, HTTP, HTTPS, and ICMP protocols, and new command formats designed to evade detection.
A China-based threat group launched a coordinated attack campaign in April 2025, specifically targeting Japanese shipping and transportation companies with strategic economic importance. The attackers exploited critical vulnerabilities in Ivanti Connect Secure (ICS) infrastructure, specifically CVE-2024-21893 (Server-Side Request Forgery) and CVE-2024-21887 (Command Injection), to break into corporate networks and deploy advanced variants of the PlugX malware family, including MetaRAT and Talisman PlugX. These Japanese shipping network operations highlight the continued evolution of PlugX-based espionage tooling and demonstrate how Chinese cyber espionage groups are still relying on refined versions of long-standing malware frameworks to infiltrate high-value transportation and logistics sectors with economic intelligence value.
Once inside Japanese shipping networks, the attackers leveraged the Ivanti Connect Secure flaws to install malware that helped them systematically map the network topology, steal privileged domain credentials, and move laterally through internal systems without triggering security alerts. During forensic analysis of compromised Ivanti appliances, investigators uncovered several lightweight malware files including LITTLELAMB, WOOLTEA, PITSOCK, and PITFUEL, all flagged by Ivanti’s Integrity Checker Tool (ICT). These reconnaissance implants are commonly observed in campaigns abusing the same Ivanti Connect Secure vulnerabilities and are typically used for early-stage network reconnaissance, credential harvesting, persistence establishment, and infrastructure discovery. Their presence in Japanese shipping networks, along with a significant spike in critical ERR31093 error logs linked to malicious SAML payloads exploiting authentication bypass, provided clear forensic markers of the initial intrusion vector and reinforced that the attackers used a familiar and well-documented toolkit to establish footholds before deploying more sophisticated remote access Trojans.
PlugX itself is a long-running remote access Trojan that has spawned numerous variants since its emergence in 2008 and remains widely deployed by China-aligned Advanced Persistent Threat groups such as Calypso, Mustang Panda, and APT10 for espionage operations. In this Japanese shipping network incident, two sophisticated variants emerged as key attack components: MetaRAT, a modernized PlugX iteration with enhanced obfuscation capabilities, improved modularity, and encrypted command-and-control communications; and Talisman PlugX, a DLL side-loading variant capable of executing multiple malicious plugins for espionage tasks like keylogging, file manipulation, and remote command execution. Both MetaRAT and Talisman PlugX variants follow the traditional PlugX architectural model but exhibit significantly sharper code changes, refined AES-based encryption routines, compressed payload delivery, and new command communication formats that help them evade signature-based detection in enterprise security environments.
MetaRAT stood out in the Japanese shipping attack for its sophisticated multi-stage execution chain designed to evade endpoint detection solutions. The MetaRAT malware relies on DLL side-loading techniques, custom shellcode injection, layered decryption processes, and reflective loading capabilities to unpack itself directly into memory without writing artifacts to disk. The MetaRAT malware supports multiple communication protocols including TCP, UDP, HTTP, HTTPS, and ICMP, providing flexible command-and-control connectivity, and uses AES-based encryption combined with compressed payloads to securely exchange stolen data with attacker-controlled command-and-control servers. Talisman PlugX follows a similar execution flow in Japanese shipping compromises, loading an encrypted payload file named “ws32.sob”, decrypting and decompressing embedded malicious components, and injecting itself into legitimate Windows processes to blend into normal system activity and evade behavioral monitoring. Both MetaRAT and Talisman PlugX variants also share certain code characteristics and infrastructure overlap, suggesting they may originate from overlapping malware developer ecosystems within Chinese espionage operations.
Taken together, the forensic evidence from the Japanese shipping network breaches points toward involvement by China-linked Advanced Persistent Threat groups such as Space Pirates or Calypso, with some technical indicators of shared tooling or command-and-control infrastructure previously used by RedFoxtrot operations. While no immediate data exfiltration was observed during the initial investigation phase, the attackers clearly focused operational efforts on credential harvesting and establishing long-term persistent access mechanisms for future espionage operations targeting Japanese maritime and transportation logistics intelligence. This Japanese shipping campaign underscores the critical importance of aggressive patch management for internet-exposed VPN appliances, continuous security monitoring of authentication gateways, and implementation of multi-layered security controls, especially for organizations in shipping and transportation sectors running exposed Ivanti Connect Secure or other remote access infrastructure vulnerable to zero-day and n-day exploitation.
Patch Ivanti Devices Without Delay: Apply the latest security updates for Ivanti Connect Secure and any related VPN appliances as soon as official patches are released by the vendor. These Ivanti Connect Secure vulnerabilities CVE-2024-21893 and CVE-2024-21887 were the attackers’ entry point into Japanese shipping networks, so closing these critical vulnerabilities immediately is essential to prevent similar breaches targeting your organization’s remote access infrastructure.
Strengthen Monitoring Around ICS and VPN Gateways: Continuously monitor Ivanti Connect Secure appliances and other VPN gateways for unusual login attempts, spikes in error logs such as ERR31093 associated with SAML payload exploitation, or unexpected file creation on Ivanti devices. Early detection of these attack indicators in VPN gateway logs could stop Chinese espionage attackers before they move deeper into your network and deploy PlugX malware variants like MetaRAT or Talisman.
Review Internal Network Segmentation: Implement strict network segmentation to separate critical servers and sensitive data stores so that even if an attacker steals domain credentials through Ivanti exploitation, they cannot move laterally across the entire corporate network. Create clear security boundaries between Ivanti Connect Secure VPN infrastructure, business systems, operational technology networks, and sensitive intellectual property or customer data stores.
Build Incident Response Playbooks For Malware Like PlugX Variants: Prepare detailed incident response procedures specifically for identifying, isolating, and removing remote access Trojans such as PlugX, MetaRAT, and Talisman from compromised Windows systems. Train security operations teams on recognizing common PlugX indicators including side-loaded DLLs, encrypted payload files with unusual extensions, modified PE headers, and process injection into legitimate Windows system processes.
Enhance Endpoint Protection: Deploy next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions configured to identify and block PlugX malware variants based on behavioral characteristics. Leverage behavioral analysis and machine learning-based detection capabilities to spot suspicious DLL side-loading, reflective code loading into memory, and unusual network connections to command-and-control infrastructure associated with Chinese espionage operations.
SHA256 Hashes: 8f50f434fa776cd11869d1e43858ac6d480d176b7c0dddc09b71d40b20a4aa46, c6124a3ca27299ef1b4d053782b11fe9fe4e215cac3cbd47d09a06e2ca6dde0c, 6ad67d7f76986359865667bdd51ba267f6bd7e560270512074448dd7b088bcb7, 00dbc8a4b3121af5a19504a9d969e36e709556420a6117eb3533f1d2a8100fd9, and numerous additional file hashes associated with MetaRAT, Talisman PlugX, LITTLELAMB, WOOLTEA, PITSOCK, and PITFUEL malware implants
Domains: doodle01[.]space, piao[.]mil[.]onmypc[.]net, newsinfom[.]org, mailserver[.]kozow[.]com, turky[.]info, nord[.]ocry[.]com
IPv4 Addresses: 117[.]254[.]105[.]200, 45[.]114[.]192[.]137, 103[.]9[.]14[.]218, 23[.]254[.]225[.]184, 103[.]136[.]45[.]108, 103[.]172[.]10[.]165, 117[.]239[.]199[.]202, 220[.]130[.]204[.]242, 112[.]213[.]125[.]75
The Japanese shipping network attack demonstrates tactics spanning Resource Development (TA0042) through Obtain Capabilities including Vulnerabilities (T1588, T1588.006), Initial Access (TA0001) via Exploit Public-Facing Application targeting Ivanti Connect Secure (T1190), Execution (TA0002) through Command and Scripting Interpreter (T1059), Persistence (TA0003) including Create or Modify System Process and Windows Service (T1543, T1543.003) and Boot or Logon Autostart Execution (T1547, T1547.001), Defense Evasion (TA0005) using Hijack Execution Flow via DLL side-loading (T1574, T1574.001), Obfuscated Files or Information (T1027), Deobfuscate/Decode Files or Information (T1140), Process Injection (T1055), Indicator Removal including Timestomp (T1070, T1070.006), Discovery (TA0007) including System Information Discovery (T1082), Collection (TA0009) through Input Capture and Keylogging (T1056, T1056.001), Command and Control (TA0011) via Application Layer Protocol and Web Protocols (T1071, T1071.001) and Non-Application Layer Protocol (T1095), and Valid Accounts (T1078) for credential-based access.
Get through updates and upcoming events, and more directly in your inbox