Multiple China-linked threat actors have been exploiting zero-day vulnerabilities in Ivanti appliances.

Mandiant identified and is tracking threat clusters named UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, UNC5337, and UNC3886.

The actors use custom malware, such as Sliver and WARPWIRE credential stealer, alongside a new Go-based backdoor named TERRIBLETEA.

Targets include vCenter servers and sectors like academia, energy, defense, and health.

Their techniques combine zero-day exploits, open-source tools, and custom backdoors to remain undetected over long periods.

The activity underscores the persistent risk from these groups and underscores the need for improved cybersecurity defenses.