CISA Alert: Beware of Dormant RESURGE Malware on Ivanti Devices

CISA Warns of Dormant RESURGE Malware on Ivanti Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently disclosed new information regarding RESURGE, a malicious implant that has been used in zero-day attacks to exploit the CVE-2025-0282 vulnerability in Ivanti Connect Secure devices.

The focus of the update is on the undetected latency of the implant on the devices, as well as its sophisticated network-level evasion and authentication techniques that allow covert communication with the attacker.

Initially documented by CISA on March 28 last year, RESURGE is capable of surviving reboots, creating webshells for credential theft, generating accounts, resetting passwords, and escalating privileges.

According to researchers at Mandiant, a leading incident response company, the critical CVE-2025-0282 vulnerability has been exploited as a zero-day since mid-December 2024 by a threat actor associated with China, internally tracked as UNC5221.

Uncovering Network-Level Evasion Techniques

CISA’s updated bulletin provides further technical insights into RESURGE, which is identified as a malicious 32-bit Linux Shared Object file named libdsupgrade.so extracted from a compromised device.

The implant is described as a passive command-and-control (C2) implant with various capabilities such as rootkit, bootkit, backdoor, dropper, proxying, and tunneling.

Instead of beaconing to the C2, it indefinitely waits for a specific inbound TLS connection, effectively evading network monitoring. The implant hooks the ‘accept()’ function under the ‘web’ process to inspect incoming TLS packets before they reach the web server, searching for specific connection attempts from a remote attacker identified using the CRC32 TLS fingerprint hashing scheme.

After validating the fingerprint and authentication with the malware, the threat actor establishes secure remote access to the implant using a Mutual TLS session encrypted with the Elliptic Curve protocol. This enables the implant to mimic legitimate TLS/SSH traffic, ensuring stealth and persistence.

Another component analyzed is a variant of the SpawnSloth malware named liblogblock.so, which is contained within the RESURGE implant. Its primary function is log tampering to conceal malicious activities on compromised devices.

A third file, dsmain, is a kernel extraction script that embeds the open-source script ‘extract_vmlinux.sh’ and the BusyBox collection of Unix/Linux utilities. It allows RESURGE to decrypt, modify, and re-encrypt coreboot firmware images for boot-level persistence.

CISA’s updated analysis reveals that RESURGE can remain dormant on systems until a remote actor attempts to connect to the compromised device, making it undetected. This presents an ongoing threat to Ivanti Connect Secure devices.

System administrators are advised to utilize the updated indicators of compromise (IoCs) provided by CISA to identify and eliminate dormant RESURGE infections from Ivanti devices.

Learn how to reduce manual delays and improve reliability through automated response with Tines. Download the guide now!

Get the guide