The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a new malware variant, RESURGE, which has been deployed to exploit a recently patched vulnerability in Ivanti Connect Secure (ICS) appliances.
According to CISA, RESURGE exhibits capabilities similar to the SPAWNCHIMERA malware variant, including persistence after reboots. However, it introduces unique commands that modify its behavior. The malware functions as a rootkit, dropper, backdoor, bootkit, proxy, and tunneler.
RESURGE is associated with CVE-2025-0282, a stack-based buffer overflow vulnerability impacting:
- Ivanti Connect Secure (versions before 22.7R2.5)
- Ivanti Policy Secure (versions before 22.7R1.2)
- Ivanti Neurons for ZTA gateways (versions before 22.7R2.3)
This vulnerability enables remote code execution, allowing attackers to gain unauthorized access and deploy malicious payloads.
Google-owned cybersecurity firm Mandiant reports that CVE-2025-0282 has been exploited to deliver the SPAWN malware ecosystem. This ecosystem includes SPAWNANT, SPAWNMOLE, and SPAWNSNAIL and has been linked to a China-nexus espionage group, UNC5337.
In February, Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC) reported the use of an enhanced SPAWN variant, SPAWNCHIMERA. This iteration consolidates various modules into a single malware strain and enhances inter-process communication through UNIX domain sockets. Notably, SPAWNCHIMERA includes a self-patching mechanism to prevent other threat actors from exploiting the same vulnerability.
CISA’s analysis of RESURGE (“libdsupgrade.so”) reveals additional features beyond SPAWNCHIMERA. The malware introduces three key new commands:
- Persistence and Web Shell Deployment: Inserts itself into “ld.so.preload,” enabling web shell installation, file modifications, and integrity check manipulations.
- Credential and Privilege Exploitation: Facilitates credential harvesting, account creation, password resets, and privilege escalation.
- Boot Disk and Coreboot Manipulation: Copies the web shell to the Ivanti boot disk and modifies the running coreboot image for deeper persistence.
CISA also discovered two additional malicious artifacts on a compromised ICS device within a critical infrastructure entity:
- SPAWNSLOTH Variant (“liblogblock.so”): This malware component tampers with Ivanti device logs.
- Custom 64-bit Linux ELF Binary (“dsmain”): A bespoke embedded binary that includes an open-source shell script and elements from BusyBox. This script can extract an uncompressed kernel image (vmlinux) from a compromised kernel.
Microsoft recently disclosed that another China-linked threat group, Silk Typhoon (formerly Hafnium), exploited CVE-2025-0282 as a zero-day vulnerability. The continuous evolution of these malware strains highlights an ongoing effort by threat actors to refine their attack techniques.
Mitigation Measures
To protect against RESURGE and related threats, organizations should:
- Update Ivanti instances to the latest patched versions.
- Reset credentials for both privileged and non-privileged accounts.
- Rotate passwords for all domain users and local accounts.
- Review and adjust access policies to temporarily revoke privileges for compromised devices.
- Monitor accounts for anomalies and reset relevant access keys.
The evolving sophistication of these attacks underscores the necessity for organizations to remain vigilant and implement robust cybersecurity defenses.
