CISA Warns of RESURGE Malware Exploiting Ivanti Flaw

CISA Warns of RESURGE Malware Exploiting Ivanti Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a new malware called RESURGE, which is exploiting a vulnerability in Ivanti Connect Secure (ICS) appliances.

According to CISA's Malware Analysis Report (MAR), the malicious code has been used in attacks targeting the flaw CVE-2025-0282 in Ivanti Connect Secure (ICS) appliances. RESURGE supports the capabilities of the SPAWNCHIMERA malware, but it implements distinctive commands that alter its behavior.

Malicious Capabilities of RESURGE

RESURGE creates web shells, bypasses integrity checks, and modifies files. It also enables credential harvesting, account creation, and privilege escalation, copying web shells to Ivanti's boot disk and manipulating the coreboot image for persistence.

The malware acts as a rootkit, dropper, backdoor, bootkit, proxy, and tunneler, allowing threat actors to create secure tunnels via SSH, proxies, and encrypted keys for covert system access.

Ivanti Vulnerability and Exploitation

In January, CISA added the Ivanti Connect Secure Vulnerability CVE-2025-0282 to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability allows an unauthenticated attacker to exploit it for remote code execution.

A local authenticated attacker can trigger the vulnerability to escalate privileges, according to CISA's advisory. Ivanti has released updates to address one critical and one high-severity vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways.

Attack Impact

CISA is aware of a limited number of customers' Ivanti Connect Secure appliances being exploited by CVE-2025-0282 at the time of disclosure. However, there is no evidence that CVEs are being exploited in Ivanti Policy Secure or ZTA gateways.

Malware Identification

CISA identifies "libdsupgrade.so", aka RESURGE, as a malicious Linux shared object file on Ivanti ICS devices. The malware modifies files, manipulates integrity checks, and installs a persistent web shell.

The agency also provided details about the 32-bit Linux ELF binary liblogblock.so that is a SPAWNSLOTH variant used for log tampering.

RESURGE modifies logs stealthily by removing identifying messages, making detection harder. It uses an open-source tool for intercepting function calls to detach shared memory and hooks the _ZN5DSLog4File3addEPKci function.

BUSYBOX Component

The malware contains a custom embedded binary that contains an open-source shell script and a subset of applets from the open-source tool BusyBox. The open-source shell script allows threat actors to extract an uncompressed kernel image (vmlinux) from a compromised kernel image.

BusyBox enables threat actors to perform various functions such as download and execute payloads on compromised devices.