CISA Warns of RESURGE Malware Targeting Ivanti Appliances

CISA has released a new analysis of a piece of malware it calls RESURGE, which has been used in attacks that exploit the recent Ivanti Connect Secure CVE-2025-0282 vulnerability. The malware has a range of capabilities, including credential theft, password resetting, and the ability to survive reboots. 

The analysis is based on the recovery of three separate files from a compromised Ivanti appliance at a critical infrastructure operator. RESURGE is the name given to one of the files, which is actually named “libdsupugrade.so” and is a Linux file, and is the main component of the malware. It’s related to an existing piece of malware called SPAWNCHIMERA but has some different capabilities, as well. Specifically, RESURGE has three commands that can create a webshell, use that webshell for credential harvesting, account creation, and other tasks, and copy the webshell to the running Ivanti boot disk and manipulate the image. 

“The file 'libdsupgrade.so' is a malicious 32-bit Linux Shared Object file that was extracted from an Ivanti Connect Secure device version 22.7.4.30859. The file contains capabilities of a rootkit, dropper, backdoor, bootkit, proxy, and tunneler. The file shares similar functionality to SPAWNCHIMERA malware however, this file contains a series of commands that modify files, manipulates integrity checks, and creates a web shell that is copied to the running Ivanti boot disk,” the CISA advisory says. 

CISA did not specify which critical infrastructure provider was compromised with the RESURGE malware or even what sector the organization is in. 

The Ivanti Connect Secure vulnerability that this attack exploits is a stack buffer overflow that Ivanti disclosed and patched in January. The flaw was already being exploited at that time, although no details about the exploitation activity were made public. 

The other two files that CISA recovered from the compromised Ivanti appliance had additional malicious capabilities. 

“The second file is a variant of SPAWNSLOTH, that was contained within the RESURGE sample. The file tampers with the Ivanti device logs. The third file is a custom embedded binary that contains an open-source shell script and a subset of applets from the open-source tool BusyBox. The open-source shell script allows for ability to extract an uncompressed kernel image (vmlinux) from a compromised kernel image. BusyBox enables threat actors to perform various functions such as download and execute payloads on compromised devices,” the advisory says. 

Ivanti appliances are frequent targets for attackers and organizations with appliances affected by this vulnerability should upgrade immediately if they haven’t already.Body