The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a detailed breakdown of Resurge—a sophisticated malware linked to a zero-day vulnerability in Ivanti Connect Secure VPN appliances that was actively exploited by Chinese hackers.
This vulnerability, tracked as CVE-2025-0282 and rated a high-severity CVSS score of 9.0, involves a stack-based buffer overflow flaw. It allows attackers to execute malicious code remotely without any authentication.
Ivanti Zero-Day Exploit Timeline: A Quick Recap
Ivanti publicly disclosed the flaw on January 8, 2025, issuing critical patches while warning of ongoing exploitation. Just a day later, Mandiant confirmed that the bug had been under active attack since December 2024 by a China-linked espionage group known as UNC5221.
This isn’t the first time UNC5221 has exploited Ivanti vulnerabilities. In this instance, the attackers deployed custom malware tools from the Spawn family, including SpawnAnt, SpawnMole, and SpawnSnail—each with distinct capabilities such as SSH backdoor access and tunneling.
By February 20, Japan’s JPCERT/CC reported that multiple threat actors were leveraging this vulnerability, with some attacks involving a newly identified variant named SpawnChimera. This version bundled updated modules from the earlier malware components and included functionality to patch CVE-2025-0282—indicating a high level of sophistication and evasiveness.
CISA’s Malware Analysis: Meet Resurge
On March 28, CISA published its technical analysis of a malware sample found during an investigation of a compromised Ivanti Connect Secure device. The malware, now labeled Resurge, was deployed as a Linux shared object file named libdsupgrade.so.
CISA notes that Resurge acts as a rootkit, dropper, backdoor, bootkit, proxy, and tunneler—all rolled into one. Although it shares similarities with SpawnChimera, Resurge contains additional features that allow it to modify critical system files, bypass integrity checks, and inject a web shell into the active Ivanti boot disk.
How Resurge Works
Like SpawnChimera, Resurge performs a check to see if it’s running under a specific process—either web or dsmdm. Based on this, it will either:
- Hook the
acceptandstrncpyfunctions to initiate proxy tunneling, or - Launch a thread to create a secure shell (SSH) for remote access.
It also issues commands to tamper with coreboot RAM disk settings, modify Python scripts using sed, and achieve persistence by inserting itself into the ld.so.preload file—a known Linux method for preloading shared libraries.
More Malware Discovered: SpawnSloth and BusyBox Script
CISA also identified additional malicious components used in the attack:
liblogblock.so: A variant of SpawnSloth, this module focuses on altering log files on Ivanti devices, making detection harder for security teams.dsmain: A 64-bit Linux executable combining open-source shell scripts with BusyBox applets. It was designed to extract the device’s kernel image and run follow-up payloads.
A Growing Threat Landscape
The discovery of Resurge and related malware variants highlights the evolving tactics of advanced persistent threat (APT) groups. With the ability to patch vulnerabilities, hide in memory, and manipulate logs, these threats are becoming harder to detect and remove.
CISA encourages organizations using Ivanti Connect Secure to apply all patches immediately and monitor for signs of compromise, including suspicious shared libraries, unexpected web shells, and modifications to critical Linux files.
