A sophisticated new malware called RESURGE has been discovered targeting Ivanti Connect Secure (ICS) devices through a recently patched security vulnerability, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
RESURGE builds upon capabilities of earlier SPAWNCHIMERA malware but introduces new dangerous features including rootkit, dropper, backdoor, bootkit, proxy and tunneling functions. The malware exploits CVE-2025-0282, a critical buffer overflow vulnerability affecting multiple Ivanti security products.
The malware can survive system reboots and contains three major new capabilities:
- Ability to insert itself into system files, deploy web shells, and manipulate integrity checks
- Functionality to harvest credentials, create accounts, reset passwords and escalate privileges
- Capability to copy malicious code to boot disk and modify core system images
CISA researchers also discovered related malware components including a SPAWNSLOTH variant that tampers with device logs and a custom Linux binary containing shell scripts for compromising kernel images.
The exploitation has been linked to Chinese cyber espionage group UNC5337, which previously deployed the SPAWN malware family. Another China-based group, Silk Typhoon, has also targeted the same vulnerability.
Security experts recommend organizations immediately patch affected Ivanti devices, reset all privileged and non-privileged account credentials, review access policies, and monitor for suspicious account activity.
Affected products include:
- Ivanti Connect Secure versions before 22.7R2.5
- Ivanti Policy Secure versions before 22.7R1.2
- Ivanti Neurons for ZTA gateways before 22.7R2.3
The discovery of RESURGE demonstrates how threat actors continue evolving their tools and techniques, highlighting the need for organizations to maintain strong security practices and promptly apply available patches.