RESURGE Malware Exploits Ivanti Flaw with Rootkit and Web Shell Features

Avatar
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has shed light on a new malware called RESURGE that has been deployed as part of exploitation activity targeting a now-patched security flaw in Ivanti Connect Secure (ICS) appliances. “RESURGE contains capabilities of the SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that
[[{“value”:”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has shed light on a new malware called RESURGE that has been deployed as part of exploitation activity targeting a now-patched security flaw in Ivanti Connect Secure (ICS) appliances.

“RESURGE contains capabilities of the SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior,” the agency said. “The file contains capabilities of a rootkit, dropper, backdoor, bootkit, proxy, and tunneler.”

The security vulnerability associated with the deployment of the malware is CVE-2025-0282, a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution.

It impacts the following versions –

Ivanti Connect Secure before version 22.7R2.5
Ivanti Policy Secure before version 22.7R1.2, and
Ivanti Neurons for ZTA gateways before version 22.7R2.3

According to Google-owned Mandiant, CVE-2025-0282 has been weaponized to deliver what’s called the SPAWN ecosystem of malware, comprising several components such as SPAWNANT, SPAWNMOLE, and SPAWNSNAIL. The use of SPAWN has been attributed to a China-nexus espionage group dubbed UNC5337.

Last month, JPCERT/CC revealed that it observed the security defect being used to deliver an updated version of SPAWN known as SPAWNCHIMERA, which combines all the aforementioned disparate modules into one monolithic malware, while also incorporating changes to facilitate inter-process communication via UNIX domain sockets.

Most notably, the revised variant harbored a feature to patch CVE-2025-0282 so as to prevent other malicious actors from exploiting it for their campaigns.

RESURGE (“libdsupgrade.so”), per CISA, is an improvement over SPAWNCHIMERA with support for three new commands –

Insert itself into “ld.so.preload,” set up a web shell, manipulate integrity checks, and modify files
Enable the use of web shells for credential harvesting, account creation, password resets, and privilege escalation
Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image

CISA said it also unearthed two other artifacts from an unspecified critical infrastructure entity’s ICS device: A variant of SPAWNSLOTH (“liblogblock.so”) contained within RESURGE and a bespoke 64-bit Linux ELF binary (“dsmain”).

“The [SPAWNSLOTH variant] tampers with the Ivanti device logs,” it said. “The third file is a custom embedded binary that contains an open-source shell script and a subset of applets from the open-source tool BusyBox. The open-source shell script allows for the ability to extract an uncompressed kernel image (vmlinux) from a compromised kernel image.”

It’s worth noting that CVE-2025-0282 has also been exploited as a zero-day by another China-linked threat group tracked as Silk Typhoon (formerly Hafnium), Microsoft disclosed earlier this month.

The latest findings indicate that the threat actors behind the malware are actively refining and reworking their tradecraft, making it imperative that organizations patch their Ivanti instances to the latest version.

As further mitigation, it’s advised to reset credentials of privileged and non-privileged accounts, rotate passwords for all domain users and all local accounts, review access policies to temporarily revoke privileges for affected devices, reset relevant account credentials or access keys, and monitor accounts for signs of anomalous activity.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials

Next Post

Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine

Related Posts

Non-Human Identities: How to Address the Expanding Security Risk

Human identities management and control is pretty well done with its set of dedicated tools, frameworks, and best practices. This is a very different world when it comes to Non-human identities also referred to as machine identities. GitGuardian’s end-to-end NHI security platform is here to close the gap. Enterprises are Losing Track of Their Machine Identities Machine identities–service
Avatar
Read More

INTERPOL Dismantles 20,000+ Malicious IPs Linked to 69 Malware Variants in Operation Secure

INTERPOL on Wednesday announced the dismantling of more than 20,000 malicious IP addresses or domains that have been linked to 69 information-stealing malware variants. The joint action, codenamed Operation Secure, took place between January and April 2025, and involved law enforcement agencies from 26 countries to identify servers, map physical networks, and execute targeted takedowns. "These
Avatar
Read More