The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning detailing a recently discovered malware variant called RESURGE. The malware has been deployed as part of exploitation activities targeting a recently patched security vulnerability (CVE-2025-0282) in Ivanti Connect Secure (ICS) appliances.
According to CISA, RESURGE has capabilities similar to the SPAWNCHIMERA malware variant, albeit with several differences.
RESURGE comes with capabilities of a rootkit, dropper, backdoor, bootkit, proxy, and tunneler. The malware is also capable of surviving reboots, which is similar to the SPAWNCHIMERA variant.
CVE-2025-0282 is a remote code execution flaw affecting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA Gateways. The impacted versions include: Ivanti Connect Secure before version 22.7R2.5; Ivanti Policy Secure before version 22.7R1.2; and Ivanti Neurons for ZTA gateways before version 22.7R2.3
According to Google-owned cybersecurity firm Mandiant, CVE-2025-0282 has been weaponized as part of the SPAWN malware ecosystem. This includes multiple components such as SPAWNANT, SPAWNMOLE, and SPAWNSNAIL. The use of these tools has been linked to a Chinese espionage group identified as UNC5337.
Last month, JPCERT/CC observed instances of exploitation of CVE-2025-0282 to deliver a new iteration of the SPAWN malware called ‘SPAWNCHIMERA’. It combines several previously separate modules into a unified malware and adds new features, such as improvements for inter-process communication through UNIX domain sockets. One of the most notable characteristics of SPAWNCHIMERA was its ability to patch CVE-2025-0282, preventing other attackers from exploiting the flaw for their own malicious campaigns.
RESURGE appears to be a more advanced variant, adding support for new commands, including inserting itself into ld.so.preload (a mechanism used for loading shared libraries on Linux systems); setting up a web shell for credential harvesting, account creation, password resets, and privilege escalation; copying the web shell to the Ivanti device's boot disk and manipulating the coreboot image.
CISA also uncovered a variant of SPAWNSLOTH (identified as liblogblock.so), which tampered with Ivanti device logs, and a custom 64-bit Linux ELF binary (named dsmain). The latter contained an open-source shell script along with applets from the tool BusyBox, enabling the extraction of a kernel image from a compromised system.
Previously, CVE-2025-0282 was leveraged by another China-linked threat group, Silk Typhoon (formerly known as Hafnium) in attacks targeting common IT solutions like remote management tools and cloud applications.
