A new malware variant dubbed RESURGE has been uncovered by the US Cybersecurity and Infrastructure Security Agency (CISA) and is targeting Ivanti Connect Secure appliances through a critical vulnerability.
The malware leverages a stack-based buffer overflow flaw, CVE-2025-0282, to create web shells, manipulate system files and survive system reboots.
CISA’s analysis, revealed that RESURGE shares functionality with the prior SPAWNCHIMERA malware but introduces unique commands to enhance its stealth and persistence.
RESURGE’s capabilities include embedding web shells for credential harvesting, modifying coreboot images to maintain access and evading integrity checks.
The malware injects itself into legitimate processes, creating SSH tunnels for command-and-control (C2) communication. It also copies malicious components to the Ivanti boot disk, ensuring persistence even after restarts.
CISA noted RESURGE’s ability to execute arbitrary commands, including password resets and privilege escalation.
The malware was found alongside a variant of the SPAWNSLOTH log-tampering tool and a custom binary “dsmain,” which incorporates BusyBox utilities. dsmain enables attackers to decrypt and repackage coreboot images, embedding malicious payloads. The analysis also identified RESURGE’s use of open-source tools like extract_vmlinux.sh to modify kernel images, further complicating detection.
CVE-2025-0282 was added to CISA’s Known Exploited Vulnerabilities Catalog on January 8 2025 and affects Ivanti Connect Secure, Policy Secure and ZTA Gateways. Attackers exploit this flaw to gain initial access, after which RESURGE deploys its full toolkit.
CISA urges immediate action, recommending:
- Factory resets for compromised devices, using clean images for cloud systems
- Resetting credentials for all accounts, including the krbtgt account (responsible for handling Kerberos ticket requests and encrypting and signing them) twice, with replication delays
- Temporarily revoking or reducing privileges for affected devices to contain breaches
- Monitoring administrative accounts for unauthorized activity
The agency also provided YARA and SIGMA detection rules, along with a detailed Malware Analysis Report (MAR-25993211.R1.V1.CLEAR).
Read more on Ivanti’s CVE-2025-0282 vulnerability: Critical Ivanti Zero-Day Exploited in the Wild
Additional guidance includes disabling unnecessary services, enforcing strong passwords and scanning removable media.
CISA emphasized situational awareness of evolving threats, referencing NIST’s malware incident handling standards for broader organizational preparedness.
Users are directed to report incidents via CISA’s Operations Center or submit malware samples to Malware Nextgen.
