Nation-state actors have been exploiting two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since December 2023, using up to five different malware families. Mandiant and Volexity have tracked the threat actors, known as UNC5221, and suspect Chinese espionage actor UTA0178 to be responsible. The attacks have targeted less than 20 customers and Ivanti is expected to release patches for the vulnerabilities in late January. The campaign appears to be highly targeted and indicates the presence of an advanced persistent threat (APT).