RESURGE Malware Exploits Ivanti Flaw with Rootkit and Web Shell Features

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has shed light on a new malware called RESURGE that has been deployed as part of exploitation activity targeting a now-patched security flaw in Ivanti Connect Secure (ICS) appliances.

"RESURGE contains capabilities of the SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior," the agency said. "The file contains capabilities of a rootkit, dropper, backdoor, bootkit, proxy, and tunneler."

The security vulnerability associated with the deployment of the malware is CVE-2025-0282, a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution.

It impacts the following versions -

• Ivanti Connect Secure before version 22.7R2.5
• Ivanti Policy Secure before version 22.7R1.2, and
• Ivanti Neurons for ZTA gateways before version 22.7R2.3

According to Google-owned Mandiant, CVE-2025-0282 has been weaponized to deliver what's called the SPAWN ecosystem of malware, comprising several components such as SPAWNANT, SPAWNMOLE, and SPAWNSNAIL. The use of SPAWN has been attributed to a China-nexus espionage group dubbed UNC5337.

Last month, JPCERT/CC revealed that it observed the security defect being used to deliver an updated version of SPAWN known as SPAWNCHIMERA, which combines all the aforementioned disparate modules into one monolithic malware, while also incorporating changes to facilitate inter-process communication via UNIX domain sockets.

Most notably, the revised variant harbored a feature to patch CVE-2025-0282 so as to prevent other malicious actors from exploiting it for their campaigns.

RESURGE ("libdsupgrade.so"), per CISA, is an improvement over SPAWNCHIMERA with support for three new commands -

• Insert itself into "ld.so.preload," set up a web shell, manipulate integrity checks, and modify files
• Enable the use of web shells for credential harvesting, account creation, password resets, and privilege escalation
• Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image

CISA said it also unearthed two other artifacts from an unspecified critical infrastructure entity's ICS device: A variant of SPAWNSLOTH ("liblogblock.so") contained within RESURGE and a bespoke 64-bit Linux ELF binary ("dsmain").

"The [SPAWNSLOTH variant] tampers with the Ivanti device logs," it said. "The third file is a custom embedded binary that contains an open-source shell script and a subset of applets from the open-source tool BusyBox. The open-source shell script allows for the ability to extract an uncompressed kernel image (vmlinux) from a compromised kernel image."

It's worth noting that CVE-2025-0282 has also been exploited as a zero-day by another China-linked threat group tracked as Silk Typhoon (formerly Hafnium), Microsoft disclosed earlier this month.

The latest findings indicate that the threat actors behind the malware are actively refining and reworking their tradecraft, making it imperative that organizations patch their Ivanti instances to the latest version.

As further mitigation, it's advised to reset credentials of privileged and non-privileged accounts, rotate passwords for all domain users and all local accounts, review access policies to temporarily revoke privileges for affected devices, reset relevant account credentials or access keys, and monitor accounts for signs of anomalous activity.