The U.S. Cybersecurity and Information Security Agency (CISA) has issued an advisory detailing a new malware variant detected in attacks on an Ivanti vulnerability.
The CISA advisory says the agency recovered three files from a critical infrastructure environment’s Ivanti Connect Secure device after threat actors exploited Ivanti vulnerability CVE-2025-0282 for initial access.
One of the files contained a new malware variant that CISA is calling RESURGE, which is similar to SPAWNCHIMERA in that it creates a Secure Shell (SSH) tunnel for command and control activities. The new variant adds important new capabilities, however.
RESURGE Malware Adds New Capabilities
RESURGE malware goes well beyond SPAWNCHIMERA with its ability to modify files, manipulate integrity checks, and create a web shell that is copied to the running Ivanti boot disk.
The RESURGE file, ‘libdsupgrade.so,’ is a malicious 32-bit Linux Shared Object file, CISA said. The file contains a rootkit, dropper, backdoor, bootkit, proxy, and tunneler.
A second file (‘liblogblock.so’) is a variant of the SPAWNSLOTH log tampering utility that was contained within the RESURGE sample.
The third file (‘dsmain’) is a custom embedded binary containing an open-source shell script and applets from the open-source tool BusyBox, CISA said. The shell script can extract an uncompressed kernel image (vmlinux) from a compromised kernel image, while BusyBox lets threat actors “perform various functions such as download and execute payloads on compromised devices,” the agency said.
CISA included file hashes and YARA detection rules based on the SHA-256 hashes. For RESURGE, the SHA-256 hash is 52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda.
The SPAWNSLOTH hash is 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104, and the dsmain hash is b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d.
CISA Recommendations
CISA recommended a number of controls in the advisory, such as:
- Disabling file and printer sharing services if possible, or at least using strong passwords or Active Directory authentication.
- Restricting users’ ability to install and run unwanted software applications.
- Exercising caution when opening e-mail attachments “even if the attachment is expected and the sender appears to be known.”
- Enabling a personal firewall on workstations and configuring it to deny unsolicited connection requests.
- Disabling unnecessary services on workstations and servers.
- Scanning for and removing suspicious e-mail attachments, and ensuring that the attachment extension matches the file header.
- Maintaining awareness of the latest threats and implementing appropriate Access Control Lists (ACLs).
