A significant cybersecurity alert has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) regarding a new malware variant named RESURGE. This sophisticated malware is actively exploiting a critical zero-day vulnerability, CVE-2025-0282, to breach Ivanti Connect Secure devices. The discovery highlights the ongoing threats to secure remote access solutions, which are widely adopted by enterprises and government agencies.
The RESURGE malware exhibits advanced capabilities designed for stealth and persistence. It is engineered to survive system restarts, harvest sensitive credentials, and maintain a covert presence long after the initial intrusion. This persistent nature makes it particularly challenging to detect and eradicate fully from compromised systems. The U.S. government agency officially added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog on January 8, 2025, following its initial observation in active exploitation in December 2024.
The primary attack vector exploited by RESURGE is CVE-2025-0282, identified as a stack-based buffer overflow vulnerability. This specific flaw affects a range of Ivanti products, including Connect Secure, Policy Secure, and ZTA Gateways. In a stack-based buffer overflow attack, threat actors send an excessive amount of data that overwhelms a device’s memory buffer. This overflow can corrupt adjacent memory regions, potentially allowing attackers to execute their own malicious code on the targeted system, thereby gaining unauthorized access.
CISA analysts first identified the RESURGE malware after a thorough examination of three files retrieved from a Ivanti Connect Secure device belonging to a critical infrastructure organization. This organization had already fallen victim to an exploit leveraging CVE-2025-0282 to establish an initial foothold. The investigation unearthed not only RESURGE but also a variant of SPAWNSLOTH, a tool designed to manipulate device logs to erase evidence of the intrusion. Additionally, a custom binary named “dsmain” was discovered, which bundles BusyBox utilities to decrypt and repackage coreboot images, indicating a multi-faceted approach to maintaining access.
Understanding the RESURGE Malware Toolkit
The combination of RESURGE, SPAWNSLOTH, and the “dsmain” binary represents a comprehensive attack toolkit. One component facilitates initial access, another works to conceal the breach by cleaning logs, and the third modifies the system’s fundamental startup processes to ensure continued access. This layered strategy demonstrates a high degree of sophistication by the threat actors involved, aiming for both initial entry and long-term control.
RESURGE itself is an evolution of SPAWNCHIMERA, a previously identified malware family known for its ability to persist across system reboots. The RESURGE variant, identified as “libdsupgrade.so,” enhances these capabilities with three new commands. According to CISA’s analysis, RESURGE functions as a multi-purpose tool, incorporating characteristics of a rootkit, dropper, backdoor, bootkit, proxy, and tunneler. This convergence of functions within a single component significantly amplifies its power and potential for deep system compromise.
Given that Ivanti Connect Secure products serve as secure VPN gateways for numerous organizations globally, a successful compromise can have far-reaching implications. An attacker gaining control of such a device can potentially access an entire enterprise network from within. Once RESURGE is entrenched, it enables attackers to steal user credentials, create unauthorized user accounts, reset passwords, and escalate their own privileges, often without triggering the standard security alerts that would signal a breach.
How RESURGE Stays Hidden and Holds On
The persistent nature of RESURGE is largely attributed to the deep level at which it integrates into the compromised system. The malware inserts itself into the “ld.so.preload” file. This critical system file forces the malware to load during the device’s startup sequence, ensuring it executes before almost all other processes. This early loading position grants RESURGE a significant degree of control from the moment the device powers on, rendering it invisible to many standard security scanning tools.
Beyond this boot-level persistence, RESURGE establishes a web shell, a minimalist script acting as a remote command-and-control interface. This web shell is strategically placed on the Ivanti device’s running boot disk. Furthermore, the malware modifies the coreboot image, the initial software that starts the device. By embedding code at this fundamental layer, RESURGE can survive even system reinstalls, making removal exceptionally difficult. CISA’s updated analysis indicates that RESURGE employs forged TLS certificates and a CRC32 fingerprint hashing scheme. This mechanism allows it to distinguish between legitimate network traffic and commands originating from the attacker, ensuring its operations remain concealed during normal usage.
CISA strongly recommends that affected organizations perform a factory reset as the most effective method for clearing the RESURGE infection. For cloud-based or virtual environments, it is advised to use a verified external clean image. All account credentials, including both privileged and non-privileged accounts, must be reset. The krbtgt account, which manages Kerberos authentication, requires a double reset due to its historical password data. Organizations should consider temporarily revoking access for affected devices, conducting a thorough review of access policies, and closely monitoring administrative accounts for any signs of unauthorized activity. Any suspicious behavior detected should be reported to CISA’s 24/7 Operations Center.