CISA Issues Warning About 'Resurge' Malware Following Ivanti ICS Breaches

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a newly discovered malware named 'Resurge' that has been linked to ongoing attacks targeting Ivanti's Connect Secure (ICS) VPN software. These attacks, which have been occurring since early January, exploit a significant security vulnerability identified as CVE-2025-0282.

Following reports of persistent and successful breaches, CISA has conducted an analysis of the compromised systems and uncovered the presence of 'Resurge'. This malware is reported to have capabilities similar to those of the 'Spawn-Chimera' malware family, which was highlighted in a February report by Japan's Computer Emergency Response Team (CERT).

'Resurge' is characterized as an advanced piece of malware that can endure system reboots and execute a variety of commands that alter its behavior. Among its features, 'Resurge' can establish a web shell, manipulate integrity checks, and alter files. The web shell functionality allows attackers to conduct activities such as credential theft, account creation, password resets, and privilege escalation. Furthermore, it can be integrated into the boot disk and core boot image of the Ivanti ICS software.

CISA's detailed analysis includes indicators of compromise (IOCs) and YARA detection rules that assist in identifying infections. Analysts have provided in-depth functional analyses of the malware files, which include the primary 'Resurge' executable. This executable bears functional similarities to 'Spawn-Chimera', particularly in its ability to create a secure shell (SSH) tunnel to a command-and-control server.

Among the files associated with 'Resurge', there is a variant of 'Spawnsloth' that manipulates Ivanti logs and an embedded binary that contains an open-source shell script along with a collection of applets from the BusyBox toolkit. These tools can extract an uncompressed Linux kernel image from a compromised kernel image and facilitate the downloading and execution of additional malicious software on affected devices.

Ivanti had previously alerted users about the vulnerability and ongoing attacks, and it has since released updated software to address the underlying security issues. Mandiant, a subsidiary of Google, also provided initial malware analyses related to the 'Spawn' family earlier this year. However, the 'Resurge' malware represents a newer and more evolved threat.