DslogdRAT is a remote access malware observed in intrusions involving exploitation of Ivanti Connect Secure appliances, particularly CVE-2025-0282. It was reported in attacks against organizations in Japan beginning in late 2024, where exploitation of the appliance vulnerability enabled deployment of a Perl web shell that subsequently delivered DslogdRAT. The malware establishes a socket-based connection to an external controller, transmits basic host information, and supports remote command execution, file upload and download, and proxying of network traffic through the compromised system. These capabilities make it suitable for hands-on post-compromise operations and follow-on intrusion activity.
DslogdRAT has been discussed alongside other malware used in Ivanti Connect Secure exploitation campaigns, including SPAWNCHIMERA and other SPAWN-related tooling, but available reporting does not conclusively tie DslogdRAT to the same campaign or operator. The broader activity has been associated with exploitation of edge infrastructure and subsequent post-exploitation actions against private-sector and government targets. High-confidence reporting supports DslogdRAT as a post-exploitation remote access tool used after successful compromise of Ivanti Connect Secure environments.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"...installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024..."; "CVE-2025-0282 refers to a critical security flaw in ICS that could allow unauthenticated remote code execution. It was addressed by Ivanti in early January 2025." | Cybersecurity researchers are warning about a new malware called DslogdRAT that's installed following the exploitation of a now-patched security flaw in Ivanti Connect Secure (ICS).
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Related articles DslogdRAT Malware Installed in Ivanti Connect Secure
RAT installed (with a web shell) after exploitation of Ivanti Connect Secure zero-day CVE-2025-0282 in attacks in Japan (Dec 2024).
DslogdRAT is a remote access trojan delivered via exploitation of Ivanti Connect Secure vulnerabilities. Specific details are not provided in the content.
Remote access trojan (RAT) deployed via exploitation of Ivanti Connect Secure vulnerabilities to provide attackers with persistent access and control over compromised systems.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.