The U. S. Cybersecurity and Infrastructure Security Agency ( CISA ) has shed light on a new malware called RESURGE that has been deployed as part of exploitation activity targeting a now-patched security flaw in Ivanti Connect Secure ( ICS) appliances.
” RESURGE contains features of the SPAWNCHIMERA ransomware variant, including surviving remakes, however, RESURGE contains unique signals that alter its conduct”, the agency . ” The document contains features of a rootkit, drop, secret, bootkit, vpn, and tunneler”.
The security risk associated with the deployment of the malware is , a stack-based cache overflow risk affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in rural script execution.
It impacts the following types-
- Ivanti Connect Secure before type 22.7R2.5
- Ivanti Policy Secure before edition 22.7R1.2, and
- Ivanti Neurons for ZTA portals before type 22.7R2.3
According to Google-owned Mandiant, CVE-2025-0282 has been weaponized to give what’s called the SPAWN ecosystem of malware, comprising several elements such as SPAWNANT, SPAWNMOLE, and SPAWNSNAIL. The use of SPAWN has been attributed to a China-nexus spying party dubbed UNC5337.
Last month, JPCERT/CC that it observed the safety defect being used to provide an updated version of SPAWN known as SPAWNCHIMERA, which combines all the above disparate modules into one unified malware, while even embracing changes to help inter-process communication via UNIX domain sockets.
Most importantly, the revised version harbored a function to update CVE-2025-0282 so as to prevent different malicious stars from exploiting it for their campaigns.
RESURGE ( “libdsupgrade. so” ), per CISA, is an improvement over SPAWNCHIMERA with support for three new directions-
- Insert itself into “ld. thus. preload”, set up a net shell, change integrity checks, and change files
- Enable the use of online shells for login planting, account creation, login resets, and privilege escalation
- Copy the internet barrel to the Ivanti running shoe disk and change the running coreboot image
CISA said it also unearthed two other relics from an unknown critical infrastructure individual’s ICS system: A version of ( “liblogblock. so” ) contained within RESURGE and a bespoke 64-bit Linux ELF binary ( “dsmain” ).
” The]SPAWNSLOTH variant ] tampers with the Ivanti device logs”, it . ” The next file is a specialty embedded linear that contains an open-source barrel script and a set of applets from the open-source application BusyBox. The open-source shell script allows for the ability to extract an uncompressed kernel image (vmlinux ) from a compromised kernel image”.
It’s worth noting that CVE-2025-0282 has also been as a zero-day by another China-linked threat group tracked as Silk Typhoon ( formerly Hafnium ), Microsoft disclosed earlier this month.
The latest studies indicate that the threat actors behind the ransomware are constantly refining and reworking their tradecraft, making it important that organizations update their Ivanti instances to the latest version.
As more mitigation, it’s advised to update credentials of wealthy and non-privileged accounts, rotate passwords for all domain users and all local accounts, review access policies to partially revoke privileges for affected devices, reset related account credentials or access keys, and monitor accounts for signs of anomalous activity.