Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actorsExploits 2 CVEs

SpawnSloth

SPAWNSLOTH is a SPAWN malware ecosystem component used for log tampering and log wiping on compromised Ivanti Connect Secure devices. It has been observed as a variant named liblogblock.so contained within the RESURGE implant, where its purpose is to tamper with Ivanti device logs to hide malicious activity and erase evidence of intrusion. Reporting also describes SPAWNSLOTH as tied to the SPAWNSNAIL backdoor and targeting the dslogserver process to disable both local logging and remote syslog forwarding. The malware has been associated with exploitation of Ivanti vulnerabilities including CVE-2025-0282, and broader SPAWN ecosystem activity observed after exploitation of CVE-2025-22457. The activity has been linked by Mandiant/Google Threat Intelligence Group and other reporting to the China-linked threat actor UNC5221, with related clustering also referencing UNC5337. It has been used in campaigns targeting Ivanti Connect Secure VPN appliances across multiple sectors and countries. A known file name associated with a SPAWNSLOTH variant is liblogblock.so.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2025-22457Unauthenticated RCE in Ivanti Connect Secure, Policy Secure, and ZTA GatewaysExploited in the wild

On April 3, 2025, Ivanti disclosed a critical vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure (ICS) VPN appliances version 22.7R2.5 and earlier. The flaw, initially underestimated as a denial-of-service risk, was later found to be a buffer overflow that allows remote code execution. Mandiant observed exploitation beginning in mid-March 2025... | The actor also used other SPAWN components such as SPAWNSLOTH (log tampering), SPAWNSNARE (kernel image extraction and encryption), and SPAWNWAVE (an evolved implant utility).

via wiz cloud threatsthreats.wiz.io
CVE-2025-0282Unauthenticated RCE in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA GatewayExploited in the wild

Researchers believe a China-linked threat actor, UNC5221, exploited the CVE-2025-0282 vulnerability as a zero-day since mid-December 2024.

via scworldscworld.com
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC5221

It includes multiple modules with diverse capabilities: SPAWNSLOTH: Log wiper

via security online infosecurityonline.info
UNC5337

It includes multiple modules with diverse capabilities: SPAWNSLOTH: Log wiper

via security online infosecurityonline.info
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1588.002ToolEvidence1
TacticResource Development

"deployment of ... malware families ... TRAILBLAZE ... BRUSHFIRE ... deployment of the previously reported SPAWN ecosystem of malware"

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence3
TacticInitial Access

"...threat actors exploited Ivanti CVE-2025-0282 for initial access."

Execution

1 technique
T1203Exploitation for Client ExecutionEvidence1
TacticExecution

"The main attack vector is CVE-2025-0282, a stack-based buffer overflow vulnerability that affects Ivanti Connect Secure, Policy Secure, and ZTA Gateways."

Stealth

2 techniques
T1070Indicator RemovalEvidence3
TacticStealth

"The second file is a variant of SPAWNSLOTH... The file tampers with the Ivanti device logs."

T1070.002Clear Linux or Mac System LogsEvidence1
TacticStealth

"variant of the SpawnSloth malware... Its main purpose is log tampering to hide malicious activity"

Other

1 technique
T1562.006Indicator BlockingEvidence1

"SPAWNSLOTH acts as a log tampering component ... targets the dslogserver process to disable both local logging and remote syslog forwarding."

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 months ago
hash.sha256●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
scworldNews
Mar 2, 2026
CISA details RESURGE malware exploiting Ivanti Connect Secure vulnerabilities | brief | SC Media

A malware/tooling family referenced here as a variant used to tamper with logs on compromised systems to hinder detection and incident response.

Read more
scworldNews
Mar 2, 2026
CISA details RESURGE malware exploiting Ivanti Connect Secure vulnerabilities | brief | SC Media

Referenced as a malware/tool variant (liblogblock.so) used alongside RESURGE to tamper with logs on compromised Ivanti Connect Secure devices, supporting stealth and defense evasion.

Read more
cyber security newsNews
Mar 2, 2026
CISA Warns of RESURGE Malware Exploiting 0-Days to Breach Ivanti Connect Secure Devices

A SPAWN-family log-tampering utility used to erase or manipulate Ivanti device logs to remove evidence of compromise and hinder incident response/forensics.

Read more
industrialcyberNews
Feb 27, 2026
New CISA guidance targets persistent RESURGE implant as Ivanti Connect Secure threat continues to deepen - Industrial Cyber

Log-tampering component/variant embedded within the RESURGE sample, used to interfere with Ivanti device logging.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.