The Cybersecurity and Infrastructure Security Agency on Thursday warned that a malware variant previously used in attacks against Ivanti Connect Secure environments may remain undetected on systems.
In March 2025, CISA issued an alert about the malware, dubbed Resurge, in connection with exploitation of CVE-2025-0282, a stack-based buffer overflow vulnerability in certain versions of Ivanti Connect Secure and other Ivanti products.
The agency has since analyzed three samples from a critical infrastructure provider’s Ivanti Connect Secure device after hackers exploited the flaw to gain initial access. The analysis shows that Resurge can remain latent on a device until a remote hacker attempts to contact the device.
As a result, CISA is urging security teams to check for possible compromise, amid concerns they have been undetected on a larger scale.
Mandiant researchers in January 2025 identified a China-nexus threat actor exploiting CVE-2025-0282. That group was tracked as UNC5337. Researchers suspect the group had links to UNC5221, which was associated with exploitation of Ivanti vulnerabilities in 2024.
The first of the three files, which is called Resurge, has similar functions to a malware called Spawnchimera, according to CISA. A Secure Shell tunnel is created for command-and-control purposes. The 2025 analysis showed how Resurge includes commands that enable file modification, integrity check manipulation and creation of web shells that are copied to an Ivanti boot disk, according to the CISA advisory.
The second file is a variant of Spawnsloth, which tampers with Ivanti device logs. The third file is a binary that has a shell script and a subset of applets from an open-source tool called BusyBox. Hackers can exploit the tool to download and execute payloads on a compromised device, according to CISA.
