RESURGE Malware
Researchers have uncovered a new malware strain, RESURGE, which has been deployed in attacks exploiting a now-patched security vulnerability in Ivanti Connect Secure (ICS) appliances. This sophisticated malware builds upon the capabilities of the SPAWNCHIMERA malware variant but introduces unique commands that modify its behavior.
Table of Contents
A Versatile and Threatening Toolkit
RESURGE is not just a simple exploit—it possesses a range of functionalities, including acting as a rootkit, dropper, backdoor, bootkit, proxy and tunneler. These capabilities make it a formidable tool for attackers looking to maintain persistence and control over compromised systems.
The Exploited Vulnerability: CVE-2025-0282
The malware takes advantage of CVE-2025-0282, a stack-based buffer overflow vulnerability that affects multiple Ivanti products, including:
- Ivanti Connect Secure (before version 22.7R2.5)
- Ivanti Policy Secure (before version 22.7R1.2)
- Ivanti Neurons for ZTA Gateways (before version 22.7R2.3)
This flaw enables remote code execution, allowing attackers to deploy sophisticated malware like RESURGE.
The SPAWN Malware Ecosystem
Cybersecurity researchers have linked CVE-2025-0282 exploitation to the SPAWN ecosystem of malware, which includes components such as:
- SPAWNANT
- SPAWNMOLE
- SPAWNSNAIL
This ecosystem has been attributed to UNC5337, a China-nexus espionage group known for cyber-espionage operations.
SPAWNCHIMERA: The Evolved Threat
A notable development in the attack chain is the SPAWNCHIMERA variant, which consolidates the individual SPAWN modules into a single monolithic malware. This version introduces a significant enhancement:
- Inter-process communication via UNIX domain sockets
- Patching of CVE-2025-0282 to prevent rival threat actors from leveraging the same vulnerability
RESURGE: A Step Beyond SPAWNCHIMERA
The latest iteration, RESURGE ('libdsupgrade.so'), expands on SPAWNCHIMERA with three additional commands:
- Persistence & System Manipulation: It inserts itself into 'ld.so.preload', sets up a Web shell, alters integrity checks and modifies files.
- Credential & Privilege Exploitation – Enables Web shell usage for credential harvesting, account creation, password resets and privilege escalation.
- Boot Persistence – Copies the Web shell to the Ivanti running boot disk and modifies the coreboot image to ensure long-term access.
Additional Findings: SPAWNSLOTH and DSMain
Researchers have also identified two additional malware artifacts from a compromised ICS device within critical infrastructure:
- SPAWNSLOTH ('liblogblock.so') – A variant embedded within RESURGE that manipulates Ivanti device logs to cover tracks.
- DSMain – A custom 64-bit Linux ELF binary containing an open-source shell script and components from BusyBox, enabling kernel extraction and further system compromise.
Zero-Day Exploitation by Another Threat Actor
Notably, CVE-2025-0282 has also been exploited as a zero-day by the Silk Typhoon (formerly Hafnium), another China-linked cyber-espionage group. This underscores the high value of this vulnerability among state-sponsored threat actors.
Mitigation Strategies: Staying Ahead of the Threat
Given the rapid evolution of these malware variants, organizations must take immediate action to protect their Ivanti instances:
- Patch to the latest version to close the CVE-2025-0282 vulnerability.
- Reset credentials for both privileged and non-privileged accounts.
- Rotate passwords for all domain and local accounts.
- Review access policies and temporarily revoke privileges for affected devices.
- Monitor accounts for any signs of anomalous activity.
With attackers actively refining their techniques, proactive defense measures are essential to safeguarding critical infrastructure and sensitive data.
