The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published fresh technical insights into RESURGE, a malicious implant leveraged in zero-day attacks targeting Ivanti Connect Secure appliances through the vulnerability tracked as CVE-2025-0282.
The latest advisory highlights the implant’s ability to remain undetected on affected systems for extended periods. According to CISA, the malware employs advanced network-level evasion and authentication mechanisms that allow attackers to maintain hidden communication channels with compromised devices.
CISA first reported the malware on March 28 last year, noting that it can persist even after system reboots. The implant is capable of creating web shells to harvest credentials, generating new accounts, resetting passwords, and escalating privileges on affected systems.
Security researchers at incident response firm Mandiant revealed that the critical CVE-2025-0282 flaw had been actively exploited as a zero-day vulnerability since mid-December 2024. The campaign has been linked to a China-associated threat actor identified internally as UNC5221.
Network-level evasion techniques
In the updated bulletin, CISA shared additional technical details about the implant. The malware is a 32-bit Linux shared object file named libdsupgrade.so that was recovered from a compromised Ivanti device.
RESURGE functions as a passive command-and-control (C2) implant with multiple capabilities, including rootkit, bootkit, backdoor, dropper, proxying, and tunneling functions.
Unlike typical malware that regularly sends signals to its command server, RESURGE remains idle until it receives a specific inbound TLS connection from an attacker. This behavior helps it avoid detection by traditional network monitoring systems.
When loaded within the ‘web’ process, the implant intercepts the ‘accept()’ function to inspect incoming TLS packets before they reach the web server. It searches for particular connection patterns originating from remote attackers using a CRC32 TLS fingerprint hashing method.
If the fingerprint does not match the expected pattern, the traffic is redirected to the legitimate Ivanti server. CISA also explained that the attackers rely on a fake Ivanti certificate to confirm that they are interacting with the malware implant rather than the genuine web server.
The agency noted that the forged certificate is used strictly for authentication and verification purposes and does not encrypt communication. However, it also helps attackers evade detection by impersonating the legitimate Ivanti service.
Because the fake certificate is transmitted over the internet without encryption, CISA said defenders can potentially use it as a network signature to identify ongoing compromises.
Once the fingerprint verification and authentication steps are completed, attackers establish encrypted remote access to the implant through a Mutual TLS session secured with elliptic curve cryptography.
"Static analysis indicates the RESURGE implant will request the remote actors' EC key to utilize for encryption, and will also verify it with a hard-coded EC Certificate Authority (CA) key," CISA says.
By disguising its traffic to resemble legitimate TLS or SSH communications, the implant maintains stealth while ensuring long-term persistence on compromised systems.
Additional malicious components
CISA also examined another file, a variant of the SpawnSloth malware named liblogblock.so, which is embedded within the RESURGE implant. Its primary role is to manipulate system logs to conceal malicious activities on infected devices.
A third analyzed component, called dsmain, is a kernel extraction script that incorporates the open-source script extract_vmlinux.sh along with the BusyBox collection of Unix/Linux utilities.
The script enables the malware to decrypt, alter, and re-encrypt coreboot firmware images while modifying filesystem contents to maintain persistence at the boot level.
“CISA’s updated analysis shows that RESURGE can remain latent on systems until a remote actor attempts to connect to the compromised device,” the agency notes. Because of this, the malicious implant "may be dormant and undetected on Ivanti Connect Secure devices and remains an active threat."
To address the risk, CISA recommends that administrators review the updated indicators of compromise (IoCs) provided in the advisory to identify potential RESURGE infections and remove the malware from affected Ivanti systems.
