CISA Releases Malware Analysis Report on RESURGE Malware Associated with Ivanti Connect Secure

CISA has released a report on a new malware variant called RESURGE, which shares capabilities with SPAWNCHIMERA. RESURGE can survive reboots but uses distinct commands to create web shells, manipulate integrity checks, and modify files. It is associated with the exploitation of CVE-2025-0282, a stack-based buffer overflow in Ivanti Connect Secure appliances. This vulnerability was added to CISA's Known Exploited Vulnerabilities Catalog on January 8, 2025. The malware enables the use of web shells for credential harvesting, account creation, and privilege escalation. CISA urges users to conduct a factory reset on affected devices for the highest confidence in remediation. Users should also reset credentials for privileged and non-privileged accounts, including all domain users and local accounts. Reviewing access policies to revoke or reduce privileges for affected devices is also recommended. Organizations should monitor related accounts for signs of unauthorized access. Incidents and anomalous activity should be reported to CISA's 24/7 Operations Center.