Ivanti’s Security Crisis Just Got Worse: RESURGE Malware Raises the Stakes
A newly discovered malware named RESURGE is targeting Ivanti Connect Secure vulnerabilities, delivering stealth capabilities like rootkits and web shells. Tied to China-linked espionage groups.
The cybersecurity world is watching closely as RESURGE, a new and highly capable malware strain, exploits a serious flaw in Ivanti Connect Secure appliances. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that attackers are leveraging CVE-2025-0282, a stack-based buffer overflow vulnerability, to deploy this stealthy malware package that comes fully loaded: rootkit, bootkit, backdoor, tunneler, and now, web shell persistence.
This is not some script-kiddie experiment it’s a weaponized, evolving malware ecosystem designed for long-term access and control. The flaw affects several Ivanti products, including versions of Connect Secure, Policy Secure, and Neurons for ZTA Gateways released before late-2024 patch levels.
But here’s where it gets worse: this vulnerability isn’t just being exploited it’s being fortified by the attackers themselves. The malware doesn’t just infect the system. It patches the very vulnerability it used to get in, locking out competitors and closing the door behind it. Classic APT (Advanced Persistent Threat) behavior.
CISA’s latest analysis reveals that RESURGE is effectively a refined successor to SPAWNCHIMERA, a previously reported malware variant already known for persistence and modular architecture. Where SPAWNCHIMERA integrated multiple components (like SPAWNANT and SPAWNMOLE), RESURGE takes it a step further, adding new commands and embedding deeper into system processes.
Here’s what RESURGE brings to the table:
- It injects itself into
ld.so.preload, ensuring it launches before any shared libraries pure stealth. - It deploys a web shell for credential theft, privilege escalation, and lateral movement.
- It copies the shell to the boot disk and tampers with the running coreboot image, cementing persistence.
Alongside RESURGE, CISA found a variant of SPAWNSLOTH that actively tampers with device logs and a 64-bit ELF binary (“dsmain”) containing a BusyBox-based script. That script can extract an uncompressed kernel image, offering attackers forensic-level access and insight into compromised systems.
This isn’t a one-off attack. China-linked espionage groups, including UNC5337 and Silk Typhoon (formerly known as Hafnium), are exploiting the same CVE Silk Typhoon reportedly used it as a zero-day. These groups are iterating fast, refining malware and adjusting methods in real-time.
So what now?
Patch. Yesterday.
Ivanti has already released security updates. If you haven’t applied them, you’re already behind. Reset credentials privileged and otherwise. Rotate passwords across domains and local accounts. Scrutinize account activity for anything abnormal. Review access policies and restrict them aggressively if you have any suspicion of compromise.
These attacks are designed for persistence. Don’t assume a reboot or AV scan will clean things up. You need full incident response playbooks and a strategy for long-term monitoring.
The message is clear: This isn’t just a vulnerability it’s a foothold. And if RESURGE is in your systems, you're not just compromised. You're owned.
Read CISA's official advisory for technical details and remediation guidance. Stay alert, stay patched, and don’t underestimate how far behind you already are if RESURGE is on your radar for the first time.
