February 27, 2026

RESURGE Malware Alert: CISA Warns of Dormant Threat on Ivanti Devices

Vaibhav February 27, 2026
RESURGE-Malware-Alert-CISA-Warns-of-Dormant-Threat-on-Ivanti-Devicesdata
Post Views: 2

US CISA Warns of Sophisticated RESURGE Malware

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a sophisticated malware implant known as RESURGE, which can remain dormant on compromised Ivanti Connect Secure devices.

Background

The malware was first documented by CISA in March 2025, and is believed to have been used in zero-day attacks exploiting the CVE-2025-0282 vulnerability since mid-December 2024 by a threat actor linked to China.

Malware Capabilities

RESURGE is a 32-bit Linux Shared Object file that operates as a passive command-and-control (C2) implant with rootkit, bootkit, backdoor, dropper, proxying, and tunneling capabilities.

The malware waits indefinitely for a specific inbound TLS connection, evading network monitoring. When loaded under the web process, it inspects incoming TLS packets for a specific connection attempt from a remote attacker, using the CRC32 TLS fingerprint hashing scheme.

Remote Access Connection

If the fingerprint matches, the malware establishes a secure remote access connection with the threat actor using a Mutual TLS session encrypted with the Elliptic Curve protocol. The implant requests the remote actor’s EC key for encryption and verifies it with a hard-coded EC Certificate Authority (CA) key.

Associated Files

CISA’s analysis also identified two additional files associated with RESURGE: liblogblock.so, a variant of the SpawnSloth malware used for log tampering, and dsmain, a kernel extraction script that embeds open-source tools for decrypting, modifying, and re-encrypting coreboot firmware images.

Warning and Recommendations

The agency warns that RESURGE can remain latent on systems until a remote actor attempts to connect to the compromised device, making it an active threat. CISA recommends that system administrators use updated indicators of compromise (IoCs) to detect and remove dormant RESURGE infections from Ivanti devices.

Technical Details

  • Malware samples:
    • libdsupgrade.so (52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda)
    • liblogblock.so (3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104)
    • dsmain (b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d)
  • Vulnerability: CVE-2025-0282
  • Exploitation: Zero-day attacks since mid-December 2024
  • Threat actor: Linked to China, tracked as UNC5221
  • Malware capabilities: Rootkit, bootkit, backdoor, dropper, proxying, tunneling, log tampering, and kernel extraction



About Author

Vaibhav

See author's posts

More Stories

Third-Party-Patching-Mitigating-Risks-in-a-Shared-Business-Ecosystemdata

Third-Party Patching: Mitigating Risks in a Shared Business Ecosystem

Vaibhav February 27, 2026
Russian-Cyberattacks-Linked-to-Missile-Strikes-ATT-CK-Advisory-Council-Exposes-Predator-Bypassing-iOS-Security-Indicatorsdata

Russian Cyberattacks Linked to Missile Strikes: ATT&CK Advisory Council Exposes Predator Bypassing iOS Security Indicators

Vaibhav February 27, 2026
Meta-Cracks-Down-on-Scam-Advertisers-with-Enhanced-Enforcement-Measuresdata

Meta Cracks Down on Scam Advertisers with Enhanced Enforcement Measures

Vaibhav February 27, 2026

Latest Cyber Security News

Third-Party-Patching-Mitigating-Risks-in-a-Shared-Business-Ecosystemdata

Third-Party Patching: Mitigating Risks in a Shared Business Ecosystem

Vaibhav February 27, 2026
RESURGE-Malware-Alert-CISA-Warns-of-Dormant-Threat-on-Ivanti-Devicesdata

RESURGE Malware Alert: CISA Warns of Dormant Threat on Ivanti Devices

Vaibhav February 27, 2026
Russian-Cyberattacks-Linked-to-Missile-Strikes-ATT-CK-Advisory-Council-Exposes-Predator-Bypassing-iOS-Security-Indicatorsdata

Russian Cyberattacks Linked to Missile Strikes: ATT&CK Advisory Council Exposes Predator Bypassing iOS Security Indicators

Vaibhav February 27, 2026
Meta-Cracks-Down-on-Scam-Advertisers-with-Enhanced-Enforcement-Measuresdata

Meta Cracks Down on Scam Advertisers with Enhanced Enforcement Measures

Vaibhav February 27, 2026
Be-Cautious-of-Your-Vehicle-Challan-Has-Been-Issued-Scam-Protect-Your-Bank-Account-from-Cyber-Fraudsdata

Be Cautious of ‘Your Vehicle Challan Has Been Issued’ Scam: Protect Your Bank Account from Cyber Frauds

Vaibhav February 27, 2026
en_USEnglish
en_USEnglish