While organizations were busy implementing their 2025 security plans, a new malware variant named RESURGE emerged to wreck their peace of mind. Discovered by CISA in March 2025, this nasty piece of work targets Ivanti Connect Secure appliances through the CVE-2025-0282 vulnerability. Great timing, hackers. Really.
RESURGE isn’t just your run-of-the-mill malware. It’s the Swiss Army knife of digital threats – functioning as a rootkit, dropper, backdoor, bootkit, proxy, and tunneler all wrapped into one devastating package. It builds on capabilities from its predecessor, SPAWNCHIMERA, but with fancy new tricks. Because apparently, the old ways of breaking into systems weren’t efficient enough. The initial setup costs for comprehensive protection against such sophisticated threats can range from $100,000 to $700,000 for organizations.
RESURGE: where hackers packed six malware functionalities into one nightmare because they’re overachievers like that.
The vulnerability itself is a stack-based buffer overflow affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways versions before 22.7R2.5. Translation: unauthenticated remote code execution. No password needed. Just walk right in and make yourself at home. Darktrace’s Threat Research team identified suspicious activity linked to this vulnerability as early as December 2024, 11 days before Ivanti’s public disclosure.
What makes RESURGE particularly devious is its persistence. It creates web shells, manipulates integrity checks, and even modifies the running coreboot image. It’s like a digital cockroach – nearly impossible to exterminate. The malware also employs BusyBox tools for downloading and executing payloads, making it extremely versatile in attack scenarios.
The malware goes as far as tampering with logs through a SPAWNSLOTH variant called liblogblock.so. Covering tracks is Hacking 101, folks.
CISA has linked this activity to Chinese threat actors who’ve been exploiting the vulnerability since at least December 2024. They’re not amateurs. They chain multiple vulnerabilities, move laterally across networks, and use living-off-the-land techniques to avoid detection.
Ivanti responded by releasing patches and an Integrity Checking Tool, while CISA recommends factory resets using clean images and credential resets. They’re also urging victims to report incidents to their 24/7 Operations Center.
The takeaway? Update your Ivanti products. Now. Not tomorrow, not next week. Because while you’re scheduling that maintenance window, hackers are already scheduling their next data exfiltration.
