UNC5337
UNC5337 is a suspected China-linked, China-nexus cyber espionage threat actor associated with exploitation of Ivanti Connect Secure VPN appliance vulnerabilities, particularly CVE-2025-0282 as a zero-day. Reporting links UNC5337 to delivery of the SPAWN malware ecosystem, including custom Spawn malware and updated SPAWN variants, and to use of additional tools such as DRYHOOK and PHASEJAM in connection with this exploitation. Mandiant-associated reporting describes UNC5337 activity as likely part of a broader cluster tracked as UNC5221. TeamT5 and other reporting describe the activity as a widespread espionage campaign affecting organizations across 12 countries and nearly 20 industries, including automotive, chemical, government, financial institutions, and telecommunications. The actor’s tradecraft includes exploitation of edge VPN appliances for initial access and remote code execution, pivoting into internal networks, use of layered command-and-control, evasion of monitoring, and log wiping. Malware associated with the broader SPAWN ecosystem in this context includes SPAWNCHIMERA and modules such as SPAWNANT, SPAWNMOLE, SPAWNSNAIL, and SPAWNSLOTH.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- automotive
- chemical
- government
- finance
- telecommunications
Associated malware families
8 malware families attributed to this actor across reporting.
3 additional families tracked in Mallory.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
"...installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024..."; "CVE-2025-0282 refers to a critical security flaw in ICS that could allow unauthenticated remote code execution. It was addressed by Ivanti in early January 2025."
Similarly, CVE-2025-22457 is also attributed to a stack-based buffer overflow weakness. This vulnerability impacts a range of Ivanti products, including Pulse Connect Secure 9.1x and Ivanti Connect Secure 22.7R2.5 and earlier... Ivanti released a patch for this vulnerability on February 11, 2025.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
UNC5337 is a China-nexus threat actor known for exploiting edge-appliance vulnerabilities (notably Ivanti Connect Secure CVE-2025-0282/0283) to gain access to networks, leading to operational downtime and requiring extensive remediation.
China-nexus cyber espionage activity exploiting Ivanti Connect Secure (ICS) CVE-2025-0282 (as a zero-day) to deploy the SPAWN malware ecosystem and related tooling (DRYHOOK, PHASEJAM).
China-linked cyber espionage activity targeting Ivanti Connect Secure VPN appliances by exploiting critical stack buffer overflow vulnerabilities to gain remote code execution and deploy the SPAWN* malware toolkits (e.g., SPAWNCHIMERA modules) for persistence, tunneling, backdoor access, and log wiping.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.