The United States Cybersecurity and Infrastructure Security Agency (CISA) has provided information about a new type of malware known as RESURGE, which is being used to exploit a patched security vulnerability in Ivanti Connect Secure (ICS) appliances.
According to CISA, “RESURGE contains capabilities of the SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior.” The agency further noted that “the file contains capabilities of a rootkit, dropper, backdoor, bootkit, proxy, and tunneler.”
The security vulnerability associated with the deployment of the malware is CVE-2025-0282, a stack-based buffer overflow vulnerability that affects Ivanti Connect Secure, Policy Secure, and ZTA Gateways, and could result in remote code execution.
The affected versions are:
- Ivanti Connect Secure before version 22.7R2.5
- Ivanti Policy Secure before version 22.7R1.2, and
- Ivanti Neurons for ZTA gateways before version 22.7R2.3
Google-owned Mandiant reported that CVE-2025-0282 has been used to deliver the SPAWN ecosystem of malware, which includes several components such as SPAWNANT, SPAWNMOLE, and SPAWNSNAIL. The use of SPAWN has been attributed to a China-nexus espionage group known as UNC5337.
Last month, JPCERT/CC revealed that the security defect was being used to deliver an updated version of SPAWN known as SPAWNCHIMERA, which combines the aforementioned disparate modules into one monolithic malware and incorporates changes to facilitate inter-process communication via UNIX domain sockets.
Notably, the revised variant has a feature to patch CVE-2025-0282 to prevent other malicious actors from exploiting it for their campaigns.
RESURGE (“libdsupgrade.so”), according to CISA, is an improvement over SPAWNCHIMERA with support for three new commands –
- Insert itself into “ld.so.preload,” set up a web shell, manipulate integrity checks, and modify files
- Enable the use of web shells for credential harvesting, account creation, password resets, and privilege escalation
- Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image
CISA also discovered two other artifacts from an unspecified critical infrastructure entity’s ICS device: A variant of SPAWNSLOTH (“liblogblock.so”) contained within RESURGE and a bespoke 64-bit Linux ELF binary (“dsmain”).
“The [SPAWNSLOTH variant] tampers with the Ivanti device logs,” it said. “The third file is a custom embedded binary that contains an open-source shell script and a subset of applets from the open-source tool BusyBox. The open-source shell script allows for the ability to extract an uncompressed kernel image (vmlinux) from a compromised kernel image.”
It’s worth noting that CVE-2025-0282 has also been exploited as a zero-day by another China-linked threat group tracked as Silk Typhoon (formerly Hafnium), according to Microsoft.
The latest findings indicate that the threat actors behind the malware are actively refining and reworking their tactics, making it essential that organizations patch their Ivanti instances to the latest version.
To mitigate this, it’s advised to reset credentials of privileged and non-privileged accounts, rotate passwords for all domain users and all local accounts, review access policies to temporarily revoke privileges for affected devices, reset relevant account credentials or access keys, and monitor accounts for signs of anomalous activity.
