LAC's Cyber Emergency Center confirmed that a China-based attack group had launched an attack campaign using multiple PlugX variants, leveraging vulnerabilities in Ivanti Connect Secure (ICS) in April 2025. This campaign targeted Japanese shipping and transportation companies and their subsidiaries, and used new PlugX variants, "MetaRAT" and "Talisman PlugX.
攻撃者グループがIvanti Connect Secure(ICS)の脆弱性を足がかりに、複数のPlugX亜種を用いた攻撃キャンペーンを展開していたことを確認しました。日本の海運・運送会社およびその子会社を標的としており、新たなPlugX亜種である「MetaRAT」と「Talisman PlugX」が使用されていました。
www.lac.co.jp
View attachment 293551
What you’ve posted describes a fairly typical but serious Ivanti VPN → AD takeover → PlugX deployment chain, with some new PlugX variants in the mix.
What the campaign is (from your description)
According to LAC:
- An attack group based in China exploited Ivanti Connect Secure (ICS) vulnerabilities (CVE‑2024‑21893 / CVE‑2024‑21887).
- Targets were mainly Japanese shipping / transportation companies and their subsidiaries (around April 2025).
- After getting in through ICS, they moved into Active Directory, obtained privileged AD credentials, and then deployed multiple PlugX family malware variants, including new ones dubbed MetaRAT and Talisman PlugX.
The diagram you attached shows this flow:
- Exploit Ivanti Connect Secure via known CVEs → gain remote access and deploy initial malware on the VPN appliance.
- Steal credentials and internal information using that malware → obtain privileged AD account credentials.
- Use privileged AD account to move inside the network, access servers, and deploy PlugX variants and related malware.
About PlugX / “MetaRAT” / “Talisman PlugX”
I don’t have LAC’s full technical write‑up, but based on general PlugX behavior:
- PlugX is a long‑running remote access Trojan (RAT) used by multiple China‑linked APT groups.
- It’s typically modular and supports:
- Full remote control (file operations, command execution)
- Credential and data theft
- Lateral movement and persistence
- MetaRAT and Talisman PlugX are likely LAC’s names for new variants with changes in:
- Loader / infection chain (e.g. different DLL search order hijack, side‑loading, packing)
- Communication methods (C2 domains/URLs, encryption)
- Evasion (new obfuscation, anti‑analysis tricks)
To know the exact behavior (IoCs, config format, C2 patterns, hashes), you’d need to rely on the LAC report and any shared indicators.
If you use Ivanti Connect Secure (ICS)
Even if you’re not in Japan or shipping, the same vulnerabilities and tradecraft can be reused elsewhere. Practical steps:
- Check exposure and patch level
- Verify whether your ICS version is affected by CVE‑2024‑21893 / ‑21887 (or later Ivanti advisories).
- If not fully patched, treat the appliance as potentially compromised, not just “vulnerable”.
- Assume credential theft is possible
- Rotate VPN user passwords and any service accounts that authenticate through ICS.
- Reset and re‑issue admin / privileged AD credentials that ever logged in via the VPN.
- Hunt for compromise using LAC / Ivanti IoCs
- Use any IoCs from the LAC report (file names, paths, hashes, registry keys, C2 domains) in:
- EDR / AV searches
- SIEM / log searches (VPN logs, AD logs, proxy/DNS logs)
- Check ICS for signs of tampering: unexpected files, modified configs, unusual scheduled jobs, or webshell‑like scripts.
- Look in AD for:
- New or modified privileged accounts
- Unexpected group membership changes
- Logons from unusual hosts or at strange times
- Segmentation and hardening
- Limit what VPN users can directly reach (especially DCs and critical servers).
- Enforce MFA for administrative and remote access where possible.
- Restrict interactive logon for high‑privilege accounts to specific jump hosts.
- Prepare for incident response
- If you find strong indicators of PlugX / MetaRAT / Talisman PlugX, treat it as an APT‑level compromise:
- Isolate affected hosts.
- Collect forensic data (disk, memory, logs) before wiping.
- Consider engaging an IR team; these intrusions are rarely limited to a single host.
For MalwareTips members in general
This case is mainly about
enterprise VPN and AD compromise, not typical home use. However, the bigger lessons apply widely:
- Perimeter devices (VPNs, firewalls, NAS, routers) are high‑value targets and must be patched quickly.
- Once attackers get VPN access plus credentials, they will go straight for AD / core identity systems.
- New malware variants (MetaRAT, Talisman PlugX) are often just evolutions of existing families to evade detection, not completely new techniques.
If you’d like, I can help you:
- Turn LAC’s indicators (if you paste them) into specific detection rules (e.g. Sigma / YARA‑style guidance, log queries).
- Draft a simple checklist to verify an Ivanti environment for signs of this specific campaign.
