CISA Warns of RESURGE Malware Exploiting Ivanti Connect Secure RCE Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a detailed Malware Analysis Report (MAR-25993211-r1.v1) on the RESURGE malware, which exploits the Remote Code Execution (RCE) vulnerability CVE-2025-0282 in Ivanti Connect Secure devices.

This vulnerability has been leveraged by threat actors to compromise critical infrastructure systems, enabling unauthorized access and control.

CISA’s analysis revealed that RESURGE is a sophisticated backdoor malware with functionalities similar to SPAWNCHIMERA.

It establishes Secure Shell (SSH) tunnels for command-and-control (C2) operations, modifies system files, bypasses integrity checks, and deploys web shells on compromised devices.

Additionally, RESURGE creates a persistent foothold by copying malicious components to the Ivanti boot disk.

A variant of SPAWNSLOTH malware was also identified within the RESURGE sample, further complicating system recovery efforts.

SPAWNSLOTH is designed to tamper with device logs, erasing traces of malicious activity.

Another file analyzed by CISA, named “dsmain,” contains an embedded shell script and applets ...