The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an updated technical analysis of the RESURGE malware family, a highly sophisticated implant used in targeted attacks against Ivanti Connect Secure VPN gateways via the zero‑day vulnerability CVE‑2025‑0282. The malware combines rootkit, bootkit, and stealth backdoor capabilities and is designed for long‑term, hard‑to‑detect persistence in enterprise and government networks.
RESURGE malware and Ivanti CVE‑2025‑0282: background on the VPN attacks
According to CISA, RESURGE was first documented in early 2024, when incident responders observed it on Ivanti Connect Secure appliances. The malware was able to survive device reboots, deploy web shells to steal credentials, create new user accounts, reset passwords, and escalate privileges on compromised VPN gateways.
Threat intelligence firm Mandiant links exploitation of the critical Ivanti vulnerability CVE‑2025‑0282 since at least mid‑December 2024 to a China‑associated threat cluster tracked as UNC5221. Because Ivanti Connect Secure is widely deployed as an SSL VPN gateway in large enterprises and public sector networks, successful exploitation of this zero‑day provides attackers with direct, authenticated access to internal systems, bypassing traditional perimeter defenses and network firewalls.
The RESURGE campaign continues a broader trend observed in recent years, where VPN and edge devices become high‑value entry points. Previous Ivanti and other VPN zero‑days were quickly incorporated into state‑sponsored and criminal operations worldwide, underscoring the strategic importance of these devices in modern attack chains.
Technical analysis of RESURGE: rootkit, backdoor and passive C2 on Ivanti Connect Secure
CISA’s analysis describes RESURGE as a 32‑bit Linux shared object library named libdsupgrade.so. The library is injected into the Ivanti web process and acts simultaneously as a rootkit (hiding its own activity), a backdoor (providing remote access), a dropper (deploying additional payloads), and a module for traffic proxying and tunneling.
A distinctive feature of RESURGE is its passive command‑and‑control (C2) architecture. Unlike typical malware that periodically connects out to a C2 server, RESURGE waits indefinitely for a specific incoming TLS connection. This passive model makes detection via outbound traffic monitoring significantly harder and allows the malware to operate under strict egress‑filtering policies that block unknown external communications.
TLS fingerprinting and mutual authentication in RESURGE
Once embedded into the web server process, RESURGE hooks the system call accept() and inspects incoming TLS sessions before they reach the legitimate Ivanti web service. To distinguish operator traffic from normal user traffic, the malware calculates a CRC32 hash of the TLS fingerprint. If the computed hash does not match the expected value, the connection is transparently passed through to the legitimate server, and users remain unaware of the malicious interception.
For authenticating the attacker’s operator, the malware relies on a spoofed Ivanti certificate. This certificate is not used for actual encryption but as a marker that signals to the implant that the connection originates from a legitimate operator rather than a typical VPN client. CISA notes that this certificate is transmitted in clear text, making it a useful network‑level indicator of compromise that defenders can hunt for in TLS traffic.
Once the TLS fingerprint and certificate checks succeed, RESURGE establishes a hardened channel using Mutual TLS (mTLS) with elliptic‑curve cryptography. Static analysis shows that the implant requests an elliptic‑curve (EC) key from the remote operator and validates it against a hard‑coded certificate authority (CA) key embedded in the binary. This design significantly raises the bar for man‑in‑the‑middle attacks and C2 hijacking, even if the malicious traffic is detected.
Additional components: SpawnSloth log wiper and coreboot firmware bootkit
In addition to the core RESURGE implant, CISA analyzed two closely related components. The first is a variant of the SpawnSloth malware, delivered as a library named liblogblock.so. SpawnSloth is responsible for log wiping and log manipulation on compromised Ivanti devices, making incident reconstruction and forensic analysis far more difficult. Authentication logs, network event logs, and system logs can be selectively or completely erased.
The second component is a binary called dsmain, which leverages the open‑source script extract_vmlinux.sh and BusyBox utilities to decrypt, modify, and re‑encrypt coreboot firmware images. By tampering with coreboot, attackers gain bootkit‑level persistence, allowing malicious code to execute before the operating system loads. This persistence layer can survive OS reinstalls and standard recovery procedures, often requiring full firmware re‑flashing—or even physical replacement of hardware—for complete eradication.
Risk to organizations and defensive recommendations for Ivanti VPN gateways
The combination of the CVE‑2025‑0282 zero‑day, passive C2, and firmware‑level persistence makes RESURGE particularly dangerous for organizations that rely on Ivanti Connect Secure as a central remote access gateway. The implant can remain dormant for extended periods, waiting for a specific inbound connection, while generating minimal traces in logs and network telemetry.
For Ivanti Connect Secure owners, immediate priorities include: applying all security updates that address CVE‑2025‑0282; comparing running configurations and firmware images against vendor‑supplied baselines; and using indicators of compromise (IOCs) published by CISA and trusted security vendors to scan for RESURGE, SpawnSloth, and related artifacts.
Network defenders should closely monitor TLS traffic for anomalous certificates, unusual mutual TLS handshakes, and patterns consistent with passive C2 on VPN gateways. Integrity checks on local logs and deployment of an independent, centralized logging system outside the VPN appliance can limit the impact of log wiping and improve visibility.
Where compromise is suspected, organizations should consider not only reinstalling Ivanti software but also validating or re‑flashing coreboot firmware on affected devices. Additional steps include forced rotation of administrator and VPN user credentials, auditing newly created or modified accounts, and temporarily strengthening network segmentation around VPN gateways to contain potential lateral movement.
The RESURGE campaign illustrates how attacks on infrastructure devices such as VPN gateways are evolving from simple single‑stage exploits into multi‑layered operations with bootkit persistence and stealthy passive command‑and‑control. Organizations should reassess vulnerability management priorities to give edge devices the same—or higher—level of scrutiny as traditional servers, track CISA and vendor advisories in near real time, and invest in network traffic monitoring and firmware integrity controls. Early detection of implants like RESURGE can be the deciding factor in preventing long‑term, covert access to critical systems.
