CISA reveals new malware variant used on compromised Ivanti Connect Secure devices

CISA has released indicators of compromise, detection signatures, and updated mitigation advice for rooting out a newly identified malware variant used by the attackers who breached Ivanti Connect Secure VPN appliances in December 2024 by exploiting the CVE-2025-0282 zero-day.

The updated mitigation instructions stress the importance of conducting a factory reset of all devices – even those where threat hunting did not reveal evidence of compromise – as well as a factory reset of cloud and virtual systems using an external known clean image of the device.

“CISA updated these mitigations based on identification of a new malware variant called RESURGE that could undermine the effectiveness of the mitigations previously provided,” the US Cybersecurity and Infrastructure Security Agency noted.

Attackers leveraging CVE-2025-0282 as a zero-day

News that attackers have leveraged a zero-day vulnerability (CVE-2025-0282) to breach Ivanti Connect Secure devices broke in early January 2025, when the company patched that and another (not actively exploited) vulnerability and confirmed that a limited number of customers were affected.

Mandiant researchers followed up with more details: the attacks had been undertaken by suspected China-nexus espionage actor(s), which used known and previously unobserved malware to infect and compromise the targeted devices, as well as to assure its persistence on them by modifying components, blocking legitimate system upgrades and symulating fake ones, rewriting executables, circumventing the appliance’s internal Integrity Checker Tool (ICT), etc.

Microsoft’s threat analysts subsequently also tied some of the attacks to the Chinese espionage group Silk Typhoon.

New malware variant tailored for Ivanti Connect Secure devices

“RESURGE contains capabilities of the [previously analyzed] SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior,” CISA revealed on Friday.

“These commands create a web shell, manipulate integrity checks, and modify files; enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions, and copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image.”

The RESURGE samples also included a new variant of SPAWNSLOTH (a log tampering utility) and a custom embedded binary containing an open-source shell script and some BusyBox applets.

“The open-source shell script allows for ability to extract an uncompressed kernel image (vmlinux) from a compromised kernel image. BusyBox enables threat actors to perform various functions such as download and execute payloads on compromised devices,” the agency explained.