The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has uncovered a new malware strain known as RESURGE, which is being used in exploitation campaigns targeting a recently patched security vulnerability in Ivanti Connect Secure (ICS) devices.
According to CISA, the RESURGE malware exhibits traits of the SPAWNCHIMERA malware variant, with additional features that modify its behavior. The malware is described to have rootkit, dropper, backdoor, bootkit, proxy, and tunneler capabilities.
The security flaw associated with the deployment of RESURGE is identified as CVE-2025-0282, a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways, potentially leading to remote code execution.
The affected versions include:
- Ivanti Connect Secure before version 22.7R2.5
- Ivanti Policy Secure before version 22.7R1.2
- Ivanti Neurons for ZTA gateways before version 22.7R2.3
Mandiant, a subsidiary of Google, has reported that CVE-2025-0282 is being leveraged to distribute a series of malware components under the SPAWN ecosystem, such as SPAWNANT, SPAWNMOLE, and SPAWNSNAIL, with attribution to a Chinese espionage group named UNC5337.
JPCERT/CC has observed the exploitation of CVE-2025-0282 to deliver an updated version of SPAWN known as SPAWNCHIMERA, consolidating multiple modules into a single malware and introducing changes to enhance inter-process communication via UNIX domain sockets.
The latest iteration of the malware, RESURGE, is an enhancement over SPAWNCHIMERA, featuring new commands for various malicious activities, including web shell deployment, integrity manipulation, and file modification.
- RESURGE can insert itself into “ld.so.preload,” establish web shells, manipulate integrity checks, and modify files
- It enables the use of web shells for credential harvesting, account manipulation, password resets, and privilege escalation
- The malware copies the web shell to the Ivanti boot disk and alters the coreboot image
CISA has also discovered two additional artifacts from an undisclosed critical infrastructure entity’s ICS device: a variant of SPAWNSLOTH (“liblogblock.so”) embedded within RESURGE and a customized 64-bit Linux ELF binary (“dsmain”).
The SPAWNSLOTH variant tampers with Ivanti device logs, while the custom binary contains an open-source shell script and applets from BusyBox for extracting kernel images from compromised systems.
Furthermore, Microsoft has disclosed that the zero-day vulnerability CVE-2025-0282 has also been exploited by a China-linked threat group known as Silk Typhoon (formerly Hafnium).
It is crucial for organizations to update their Ivanti devices to the latest version to mitigate the risk posed by the malware. Additionally, resetting credentials, rotating passwords, reviewing access policies, and monitoring accounts for suspicious activities are recommended as further security measures.
