CISA on Friday issued a Malware Analysis Report on “a new malware variant CISA has identified as RESURGE.” And guess what it's targeting. Of course, an Ivanti ICS flaw.
The US cybersec agency said RESURGE is “associated with the exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances”. CVE 2024-0282 was added to CISA’s known exploited vulnerabilities catalog way back in January, with exploitation first detected in December. It has since been patched.
The latest warning came after CISA said it had “analyzed three files obtained from a critical infrastructure’s Ivanti Connect Secure device after threat actors exploited Ivanti CVE-2025-0282 for initial access.”
One of the files threw up the new variant, it said. A second file was a variant of SPAWNSCLOTH, itself found in the new variant. The third file contained an open-source shell script and a selection of applets from the BusyBox compilation of open-source tools for threat actors.
The new malware contains “capabilities” of the Spawnchimera malware seen last month, including the ability to survive reboots. But it adds some new commands including creating a webshell, manipulating integrity checks and modifying files.
It also enables the use of webshells for credential harvesting and other nasties, as well as copying the web shell to the Ivanti running boot disk and manipulate the running coreboot image.
CISA shipped mitigation advice, including conducting a factory reset for the “highest level of confidence” and resetting credentials for privileged and non-privileged accounts, and resetting passwords for…pretty much everything.
