CISA Warns of RESURGE Malware Exploiting Ivanti Connect Secure RCE Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a detailed Malware Analysis Report (MAR-25993211-r1.v1) on the RESURGE malware, which exploits the Remote Code Execution (RCE) vulnerability CVE-2025-0282 in Ivanti Connect Secure devices.

This vulnerability has been leveraged by threat actors to compromise critical infrastructure systems, enabling unauthorized access and control.

CISA’s analysis revealed that RESURGE is a sophisticated backdoor malware with functionalities similar to SPAWNCHIMERA.

It establishes Secure Shell (SSH) tunnels for command-and-control (C2) operations, modifies system files, bypasses integrity checks, and deploys web shells on compromised devices.

Additionally, RESURGE creates a persistent foothold by copying malicious components to the Ivanti boot disk.

A variant of SPAWNSLOTH malware was also identified within the RESURGE sample, further complicating system recovery efforts.

SPAWNSLOTH is designed to tamper with device logs, erasing traces of malicious activity.

Another file analyzed by CISA, named “dsmain,” contains an embedded shell script and applets from the open-source BusyBox toolset.

These components allow threat actors to extract uncompressed kernel images (vmlinux), analyze vulnerabilities, and execute malicious payloads.

The attackers utilized advanced encryption techniques to manipulate coreboot RAM disks, ensuring stealthy operations.

Malware Functionality Breakdown

RESURGE employs a series of commands to establish remote command execution capabilities.

It inserts itself into critical system files like ld.so.preload, modifies Python scripts to disable mismatch tracking, and generates cryptographic signatures to disguise altered files as legitimate.

Commands executed by the malware include creating secure sockets for SSH access, manipulating boot processes, and deploying additional payloads.

SPAWNSLOTH, meanwhile, uses function-hooking techniques to intercept system calls and manipulate shared memory linked to logging processes.

This ensures that log entries related to malicious activities are erased or altered.

Recommendations for Mitigation

CISA urges organizations using Ivanti Connect Secure devices to implement robust cybersecurity measures immediately:

• Apply patches for CVE-2025-0282 and ensure systems are updated.
• Maintain strong password policies and restrict administrative privileges.
• Monitor system logs for anomalies and scan for unauthorized modifications.
• Deploy antivirus solutions with updated signatures to detect malware variants like RESURGE and SPAWNSLOTH.

Organizations are advised to exercise caution when handling external media or downloading software from unverified sources.

Regular audits of network traffic and system integrity are critical in identifying potential compromises.

CISA emphasizes the importance of reporting suspicious activity promptly. Malware samples can be submitted for analysis via official channels listed on CISA’s website.

For further assistance or detailed guidance on securing systems against emerging threats, organizations can contact CISA directly.

This advisory highlights the growing sophistication of cyber threats targeting critical infrastructure.

Vigilance and proactive defense strategies are essential in mitigating risks posed by advanced malware like RESURGE.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!