The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently released a detailed analysis of the advanced Ivanti VPN malware that has been exploited by hackers. The malware, dubbed “Resurge,” is connected to a Chinese nation-state hacker group and is actively targeting a vulnerability in Ivanti Connect Secure appliances.
The exploit involves a critical stack-based buffer overflow vulnerability, tracked as CVE-2025-0282, which was patched by Ivanti in January after evidence of exploitation by suspected nation-state attackers came to light. According to CISA, the Resurge malware is particularly sophisticated, incorporating various capabilities such as a rootkit, dropper, backdoor, bootkit, proxy, and tunneler. The malware is designed to create a web shell on the Ivanti boot disk, allowing attackers to manipulate files and bypass integrity checks.
The functionality of Resurge is seen as an upgrade from a previous variant called Spawnchimera, which was part of the Spawn family of custom malware. This particular malware has been linked to attacks on Ivanti VPN appliances by a group tracked as UNC5325, a suspected Chinese espionage actor. The Resurge file name, “libdsupgrade.so,” suggests that it is an enhanced version of Spawnchimera.
In addition to Resurge, the attackers deployed a variant of Spawnsloth, a log tampering utility, in the attack. They also included a custom embedded file containing an open-source shell script and applets from BusyBox, enabling them to download and execute payloads. Microsoft has attributed the zero-day hacking activity using CVE-2025-0282 to a Chinese threat actor known as Silk Typhoon, which has been previously linked to intrusions into U.S. government systems.
Chinese nation-state hackers have a track record of aggressively exploiting newly disclosed vulnerabilities to compromise systems before patches can be applied. They operate with a high operational tempo, often targeting vulnerabilities on the same day they are made public. The Dutch National Cyber Security Center highlighted this trend in February 2024, emphasizing the need for proactive security measures to defend against such threats.
Researchers have noted similarities between Resurge and Spawnchimera, particularly in how both malware variants create secure shell tunnels for command and control. Both Trojans are able to survive reboots and exploit the strncpy function in the C programming language to achieve remote code execution. Earlier this year, a security firm discovered that Ivanti developers did not properly constrain the copying function, allowing malicious strings to bypass size restrictions and execute arbitrary code. The attackers corrected this flaw by modifying strncpy to enforce a size limit of 256 bytes.
Overall, the anatomy of the advanced Ivanti VPN malware sheds light on the evolving tactics of sophisticated threat actors, particularly those associated with state-sponsored cyber espionage. Organizations are urged to remain vigilant, apply security patches promptly, and implement strong cybersecurity measures to protect against such advanced threats in the future.