Ethical Hacking News
CISA has issued a warning about RESURGE, a malicious implant that can be dormant on Ivanti devices, posing a significant threat to network security. The alert comes as part of CISA's efforts to provide timely warnings about emerging threats to network security.
CISA has issued a warning about RESURGE, a malicious implant that can remain dormant on Ivanti devices until a remote actor connects to the compromised device. RESURGE is a sophisticated malware with rootkit, bootkit, backdoor, dropper, proxying, and tunneling capabilities. The malware uses a fake Ivanti certificate to evade detection and establishes secure remote access using Mutual TLS encryption. RESURGE contains a variant of the SpawnSloth malware for log tampering and a kernel extraction script for malicious activity. CISA advises system administrators to use updated indicators of compromise (IoCs) to discover dormant RESURGE infections and remove them from Ivanti devices.
CISA has issued a warning about RESURGE, a malicious implant that can be dormant on Ivanti devices, posing a significant threat to network security. The alert was issued after researchers at Mandiant discovered the malware's ability to survive reboots and remain undetected until a remote actor attempts to connect to the compromised device.
According to CISA, RESURGE is a 32-bit Linux Shared Object file named libdsupgrade.so that was extracted from a compromised Ivanti Connect Secure device. The implant has rootkit, bootkit, backdoor, dropper, proxying, and tunneling capabilities, making it a sophisticated threat to network security.
RESURGE's authentication mechanism involves the use of a fake Ivanti certificate, which is sent unencrypted over the internet. This allows the attacker to evade detection by impersonating the legitimate server. The malware establishes secure remote access to the implant using a Mutual TLS session encrypted with the Elliptic Curve protocol.
The RESURGE implant also contains a variant of the SpawnSloth malware, named liblogblock.so, which is used for log tampering to hide malicious activity on compromised devices. Additionally, the malware includes a kernel extraction script called dsmain, which embeds an open-source script 'extract_vmlinux.sh' and a BusyBox collection of Unix/Linux utilities.
CISA highlights that RESURGE can remain latent on systems until a remote actor attempts to connect to the compromised device, making it a significant threat. The agency suggests that system administrators use updated indicators of compromise (IoCs) to discover dormant RESURGE infections and remove them from Ivanti devices.
The discovery of RESURGE comes after researchers at Mandiant discovered the malware's ability to survive reboots and remain undetected until a remote actor attempts to connect to the compromised device. The alert was issued as part of CISA's efforts to provide timely warnings about emerging threats to network security.
In recent months, there have been reports of various zero-day attacks exploiting critical vulnerabilities in different software systems. These attacks highlight the need for organizations to stay vigilant and take proactive measures to protect their networks against emerging threats.
RESURGE is a reminder that even well-established software systems can be vulnerable to exploitation by malicious actors. As such, it is essential for system administrators to stay informed about the latest threats and vulnerabilities in order to take appropriate measures to protect their networks.
In conclusion, RESURGE is a sophisticated malware threat that poses a significant risk to network security. CISA's warning highlights the need for organizations to be vigilant and take proactive measures to protect their networks against emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Warns-of-Resurgence-Dormant-Malware-Threat-on-Ivanti-Devices-ehn.shtml
https://www.bleepingcomputer.com/news/security/cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices/
https://www.cisa.gov/news-events/news/cisa-issues-updated-resurge-malware-analysis-highlighting-stealthy-active-threat
https://www.cisa.gov/sites/default/files/2025-03/MAR-25993211.r1.v1.CLEAR_.pdf
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement
https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability
https://www.csoonline.com/article/3732107/ivanti-zero-day-exploited-by-apt-group-that-previously-targeted-connect-secure-appliances.html
Published: Fri Feb 27 12:17:05 2026 by llama3.2 3B Q4_K_M
