RESURGE Malware Persists Dormant on Compromised Ivanti Devices, CISA Warns

CISA Exposes RESURGE Malware Targeting Ivanti Connect Secure

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed new technical details about RESURGE, a sophisticated malware implant used in recent zero-day attacks exploiting CVE-2025-0282 to compromise Ivanti Connect Secure devices. The agency warns that the malware can remain dormant, evading detection while maintaining persistence on infected systems.

Technical Details of RESURGE

RESURGE, identified in ongoing threat actor campaigns, leverages CVE-2025-0282, a critical vulnerability in Ivanti’s Connect Secure VPN appliances. According to CISA’s analysis, the malware employs multiple evasion techniques, including:

• Dormancy mechanisms to avoid triggering security alerts during initial compromise.
• Process injection to execute malicious code within legitimate system processes.
• Obfuscated command-and-control (C2) communications to bypass network monitoring.

CISA’s advisory highlights that RESURGE is designed to harvest credentials, exfiltrate data, and establish backdoor access for further lateral movement within compromised networks. The implant’s modular architecture suggests it may be part of a broader attack toolkit, potentially linked to advanced persistent threat (APT) groups.

Impact and Risk Assessment

The exploitation of CVE-2025-0282 poses significant risks to organizations relying on Ivanti Connect Secure for remote access. Key concerns include:

• Stealthy persistence: RESURGE’s ability to lie dormant complicates detection, allowing threat actors to maintain access over extended periods.
• Data exfiltration: The malware’s credential-harvesting capabilities could lead to unauthorized access to sensitive corporate or government systems.
• Supply chain risks: Compromised Ivanti devices may serve as entry points for broader network infiltration, particularly in high-value sectors like government, defense, and critical infrastructure.

CISA’s findings underscore the urgency for organizations to patch vulnerable Ivanti systems immediately and conduct thorough forensic analysis to identify signs of compromise.

Mitigation and Recommendations

CISA urges administrators to take the following actions:

1. Apply patches: Immediately update Ivanti Connect Secure devices to the latest firmware version addressing CVE-2025-0282.
2. Isolate affected systems: Quarantine any devices exhibiting suspicious behavior until a full investigation is completed.
3. Monitor for indicators of compromise (IOCs): Review CISA’s advisory for RESURGE-specific IOCs, including file hashes, C2 domains, and network signatures.
4. Enhance detection: Deploy endpoint detection and response (EDR) solutions to identify process injection and anomalous C2 traffic.
5. Conduct forensic analysis: Use Ivanti’s integrity checker tool to verify system integrity and detect unauthorized modifications.

Organizations are advised to assume breach if they have exposed Ivanti devices and initiate incident response protocols. CISA’s full report provides additional technical guidance for defenders.