DEV Community

DeepSeaX
DeepSeaX

Posted on

RESURGE Malware: CISA Warns It May Be Dormant on Your Ivanti Devices Right Now (CVE-2025-0282)

#ivanti #malware #cisa #cybersecurity

CISA just updated its malware analysis report on RESURGE — and the finding is alarming: this implant can remain dormant and undetected on Ivanti Connect Secure devices, silently waiting for its operators to reconnect.

If your organization runs Ivanti Connect Secure, Policy Secure, or ZTA Gateways, this is a must-read.

What Is RESURGE?

RESURGE is a sophisticated Linux implant that combines the capabilities of a rootkit, backdoor, bootkit, dropper, proxy, and tunneler — all in a single shared library (libdsupgrade.so). It was discovered on a critical infrastructure entity's Ivanti Connect Secure device after exploitation of CVE-2025-0282, a stack-based buffer overflow enabling remote code execution.

RESURGE is the evolution of the SPAWNCHIMERA malware family, which itself consolidated four earlier tools: SPAWNANT, SPAWNMOLE, SPAWNSNAIL, and SPAWNSLOTH. RESURGE adds three entirely new command sets that its predecessors lacked.

Attribution: UNC5337 (China-nexus espionage) and Silk Typhoon (formerly Hafnium).

Why RESURGE Is Dangerous: The Dormancy Problem

CISA's updated analysis (February 26, 2026) reveals the critical finding: RESURGE uses a passive C2 model. Instead of beaconing out to a server (which network monitoring would catch), it:

  1. Hooks the accept() function in Ivanti's web process
  2. Inspects every incoming TLS connection
  3. Computes a CRC32 fingerprint of the TLS ClientHello random field
  4. If the fingerprint matches → routes to malicious handler
  5. If not → forwards to legitimate Ivanti server transparently

This means RESURGE generates zero outbound C2 traffic. It sits dormant until an operator connects to the device's normal HTTPS port with a specially crafted TLS handshake. Standard network monitoring sees nothing.

Technical Deep-Dive

The TLS Authentication Trick

RESURGE's operator authentication is remarkably sophisticated:

  1. ClientHello fingerprint: CRC32 hash of the final 28 bytes in the TLS random field, byte-swapped, compared against the first 4 bytes
  2. ServerHello spoofing: Responds with a forged Ivanti certificate (CN: va1.Ivanti.net, issued Jul 15 2024)
  3. Mutual TLS: Establishes encrypted channel using P-521 ECC with hardcoded keys
  4. SSH tunnel: Embeds a statically-linked libssh server for interactive access

All of this happens over the device's legitimate HTTPS port — no extra ports, no suspicious connections.

Three Command Sets

Command Set 1 — System Persistence:

  • Injects into ld.so.preload for automatic loading
  • Generates RSA-2048 keys for SSH access
  • Deploys web shell at compcheckresult.cgi
  • Modifies system manifests with valid SHA-256 checksums
  • Disables integrity verification in check_integrity.sh

Command Set 2 — Bootkit (Survives Factory Reset):

  • Extracts vmlinux from kernel images
  • Decrypts and decompresses the coreboot RAM disk
  • Injects malware into boot initialization
  • Re-encrypts the modified filesystem
  • Persists across reboots and system updates

Command Set 3 — Scanner Evasion:

  • Patches scanner.py and scanner_legacy.py
  • Replaces mismatch detection counters with pass statements
  • Disables Ivanti's built-in integrity checking

Associated Malware

Component File Purpose
RESURGE libdsupgrade.so (1.4MB) Main implant — rootkit + backdoor + bootkit
SPAWNSLOTH liblogblock.so (95KB) Log tampering — hooks dslogserver
BusyBox binary dsmain (5.1MB) Utility — kernel extraction, AES crypto, shell

Indicators of Compromise

File Hashes (SHA-256)

Hash File Description
52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda libdsupgrade.so RESURGE backdoor
3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104 liblogblock.so SPAWNSLOTH log tamper
b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d dsmain BusyBox utility

File System Indicators 

/home/runtime/tmp/.logsrv          # RESURGE IPC socket
/tmp/.liblogblock.so               # SPAWNSLOTH staging
/tmp/data/                         # Temporary workspace
Modified: ld.so.preload            # Library injection
Modified: scanner.py               # Integrity check disabled
Modified: check_integrity.sh       # Verification bypass
Web shell: compcheckresult.cgi     # Remote access
Enter fullscreen mode Exit fullscreen mode

Network Indicators

  • Forged TLS certificate with CN: va1.Ivanti.net
  • P-521 ECC certificate exchanges on HTTPS port
  • CRC32-based TLS ClientHello fingerprinting

MITRE ATT&CK Mapping

Technique ID Usage
Boot Initialization Scripts T1547.013 ld.so.preload injection
Supply Chain: Compromised Software T1195.002 CVE-2025-0282 exploitation
Modify Authentication Process T1556 CRC32 TLS fingerprinting
Remote Services: SSH T1021.004 Embedded libssh server
Indicator Removal: Clear Logs T1070.001 SPAWNSLOTH log tampering
Proxy T1090.001 Traffic proxying via .logsrv socket
Deobfuscation T1140 AES decryption of coreboot RAM disk
Network Sniffing T1040 TLS packet inspection

Detection & Hunting

YARA Rules (CISA-provided)

  • CISA_25993211_01 — RESURGE detection
  • CISA_25993211_02 — SPAWNSLOTH detection
  • CISA_25239228_04 — SPAWNSNAIL detection

Sigma Rule — RESURGE Persistence 

title: RESURGE Ivanti Implant - ld.so.preload Injection
status: experimental
logsource:
    category: file_event
    product: linux
detection:
    selection:
        TargetFilename:
            - '/etc/ld.so.preload'
            - '/home/runtime/tmp/.logsrv'
    selection_web_shell:
        TargetFilename|endswith: 'compcheckresult.cgi'
    condition: selection or selection_web_shell
level: critical
tags:
    - attack.persistence
    - attack.t1547.013
    - attack.t1505.003
Enter fullscreen mode Exit fullscreen mode

Network Detection 

title: RESURGE Forged Ivanti TLS Certificate
status: experimental
logsource:
    category: proxy
detection:
    selection:
        tls.server.subject.cn: 'va1.Ivanti.net'
        tls.server.not_before: '2024-07-15*'
    condition: selection
level: critical
tags:
    - attack.command_and_control
    - attack.t1556
Enter fullscreen mode Exit fullscreen mode

Remediation Steps

  1. Immediately scan all Ivanti Connect Secure devices for the IOCs listed above
  2. Check for the .logsrv socket file and modified ld.so.preload
  3. Verify scanner.py hasn't been patched to disable integrity checks
  4. Do NOT trust factory resets — RESURGE's bootkit survives them
  5. Restore from known-clean firmware images
  6. Reset ALL credentials (domain and local accounts)
  7. Rotate certificates and access keys
  8. Monitor for forged va1.Ivanti.net TLS certificates

Affected versions: Ivanti Connect Secure < 22.7R2.5, Policy Secure < 22.7R1.2, Neurons for ZTA < 22.7R2.3

Running Ivanti VPN appliances? Find out if you're exposed with a free penetration test — currently in open beta.

References:

Top comments (0)