The U.S. Cybersecurity and Information Security Agency (CISA) recently issued an advisory alerting the public to a new malware variant that has been discovered in attacks targeting an Ivanti vulnerability. According to the advisory, CISA was able to recover three files from a critical infrastructure environment’s Ivanti Connect Secure device after threat actors exploited the Ivanti vulnerability known as CVE-2025-0282 to gain initial access.
One of the recovered files contained a new malware variant that has been named RESURGE by CISA. This malware variant is similar to another known variant called SPAWNCHIMERA, as it also creates a Secure Shell (SSH) tunnel for command and control activities. However, RESURGE comes with additional capabilities that set it apart from its predecessor.
RESURGE malware is capable of modifying files, manipulating integrity checks, and creating a web shell that is copied to the running Ivanti boot disk. The malicious file ‘libdsupgrade.so’ identified by CISA is a 32-bit Linux Shared Object file that contains a rootkit, dropper, backdoor, bootkit, proxy, and tunneler. Another file, ‘liblogblock.so,’ is a variant of the SPAWNSLOTH log tampering utility found within the RESURGE sample.
Furthermore, a third file named ‘dsmain’ was discovered by CISA, which is a custom embedded binary containing an open-source shell script and applets from BusyBox. These tools allow threat actors to extract kernel images and execute various functions on compromised devices. CISA also provided file hashes and YARA detection rules for identifying the RESURGE malware.
In response to the discovery of this new malware variant, CISA has recommended several controls to enhance cybersecurity measures. These include disabling file and printer sharing services, restricting user permissions for software installations, being cautious with email attachments, enabling personal firewalls, disabling unnecessary services, scanning for suspicious attachments, and staying informed about the latest threats.
It is imperative for organizations and individuals to heed the advice provided by CISA and take proactive steps to protect themselves against cyber threats. By implementing these recommended controls and staying vigilant, the risk of falling victim to malware attacks like RESURGE can be significantly reduced. Cybersecurity remains a critical concern in today’s digital landscape, and it is essential for everyone to prioritize security measures to safeguard sensitive information and infrastructure.