china_nexus_apt

A China-nexus advanced persistent threat (APT) group that EclecticIQ attributed with high confidence as the primary actor behind the 2025 exploitation wave targeting Ivanti Endpoint Manager Mobile (EPMM) zero-day vulnerabilities CVE-2025-4427 and CVE-2025-4428. The campaign targeted Internet-facing Ivanti EPMM servers and affected thousands of organizations, particularly in Europe, including hospitals, a UK government entity, and organizations in telecommunications and financial services. Reported post-compromise activity included deploying reverse shells on compromised Ivanti servers, searching system directories and configuration files to obtain unencrypted database credentials, accessing MySQL to obtain EPMM encryption keys, and decrypting sensitive platform data. The actor’s access to EPMM could enable abuse of legitimate administrative functions against enrolled mobile devices, including resetting PINs, unlocking devices, pushing security configurations, deploying applications or malware, and installing root certificates to intercept and decrypt mobile web traffic. If cloud integrations were enabled, attackers could obtain valid access tokens for Google Workspace, Salesforce, and Microsoft 365, with potential for broader enterprise compromise and business email compromise. Attribution indicators cited in the content include China Telecom-hosted command-and-control infrastructure, use of open-source reconnaissance tools documented in Mandarin, and use of the open-source FRP reverse-proxy tool for tunneling, lateral movement, and internal network access. No additional aliases or sub-groups are provided in the content.