CISA Releases Malware Analysis Report on RESURGE Malware Associated with Ivanti Connect Secure

CISA has published a Malware Analysis Report (MAR) with analysis and associated detection signatures on a new malware variant CISA has identified as RESURGE. RESURGE contains capabilities of the SPAWNCHIMERA[1] malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior. These commands: 

  • Create a web shell, manipulate integrity checks, and modify files. 
  • Enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions. 
  • Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image. 

RESURGE is associated with the exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances. CVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog on January 8, 2025.  
For more information on the abovementioned malware variants and YARA rules for detection, see: MAR-25993211.R1.V1.CLEAR.

For a downloadable copy of the SIGMA rule associated with this MAR, see: AR25-087A SIGMA YAML.

CISA urges users and administrators to implement the following actions in addition to the This article has been indexed from All CISA Advisories

Read the original article: