This Malware Analysis Report (MAR) was originally published on March 28, 2025 to share indicators of compromise (IOCs) and detection signatures for RESURGE Malware. The Cybersecurity and Infrastructure Security Agency (CISA) has updated this MAR to provide deeper technical insight into RESURGE providing network defenders with enhanced understanding and tools to identify, mitigate, and respond to RESURGE. CISA’s updated analysis shows that RESURGE can remain latent on systems until a remote threat actor attempts to connect to the compromised device. Therefore, CISA assesses that RESURGE may be dormant and undetected on Ivanti Connect Secure devices and remains an active threat.

CISA analyzed three files obtained from a critical infrastructure’s Ivanti Connect Secure device after threat actors exploited Ivanti CVE-2025-0282 for initial access. One file—that CISA is calling RESURGE—has functionality similar to SPAWNCHIMERA in how it creates a Secure Shell (SSH) tunnel for command and control (C2). CISA’s original analysis revealed how RESURGE contains a series of commands that can modify files, manipulate integrity checks, and create a web shell that is copied to the running Ivanti boot disk. CISA’s updated analysis shows that RESURGE has sophisticated network-level evasion and authentication techniques, leveraging advanced cryptographic methods and forged TLS certificates to facilitate covert communications.

The second file is a variant of SPAWNSLOTH that was contained within the RESURGE sample. The file tampers with the Ivanti device logs. The third file is a custom embedded binary that contains an open-source shell script and a subset of applets from the open-source tool BusyBox. The open-source shell script allows for the ability to extract an uncompressed kernel image (vmlinux) from a compromised kernel image. BusyBox enables threat actors to perform various functions, such as download and execute payloads on compromised devices.

CISA encourages organizations to use the IOCs and detection signatures to identify RESURGE samples and to implement the actions in CISA Mitigation Instructions for CVE-2025-0282 and Alert  CISA Releases Malware Analysis Report on RESURGE Malware Associated with Ivanti Connect Secure.

Reporting
The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form.