Cybersecurity

Cyber: Cisa Warns That Resurge Malware Can Be Dormant On Ivanti Devices

2026-02-27 0 views admin
Cyber: Cisa Warns That Resurge Malware Can Be Dormant On Ivanti Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details about RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices.

The update focuses on the implant's undetected latency on the appliances and its "sophisticated network-level evasion and authentication techniques" that enable covert communication with the attacker.

CISA originally documented the malware on March 28 last year, saying that it can survive reboots, create webshells for stealing credentials, create accounts, reset passwords, and escalate privileges.

According to researchers at incident response company Mandiant, the critical CVE-2025-0282 vulnerability was exploited as a zero-day since mid-December 2024 by a threat actor linked to China, tracked internally as UNC5221.

CISA's updated bulletin provides additional technical information on RESURGE, a malicious 32-bit Linux Shared Object file named libdsupgrade.so that was extracted from a compromised device.

The implant is described as a passive command-and-control (C2) implant with rootkit, bootkit, backdoor, dropper, proxying, and tunneling capabilities.

Instead of beaconing to the C2, it waits indefinitely for a particular inbound TLS connection, evading network monitoring, CISA says in the updated document.

When loaded under the ‘web’ process, it hooks the ‘accept()’ function to inspect incoming TLS packets before they reach the web server, looking for specific connection attempts from a remote attacker that are identified using the CRC32 TLS fingerprint hashing scheme.

If the fingerprint does not match, traffic is directed to the legitimate Ivanti server. CISA further details Rusrge's authentication mechanism saying that the threat actor also uses a fake Ivanti certificate to ensure that they are interacting with the implant and not the Ivanti web server.

The agency highlights that the certificate's purpose is just to for authentication and verification purposes, as it is not used to encrypt communication. Furthermore, the fake certificate also helps the actor evade detection by impersonating the legitimate server.

Source: BleepingComputer

🏷️ Tags

cybersecuritysecuritybreachvulnerabilitycve

More from Cybersecurity

Cyber: Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor

Cyber: Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor

2026-02-27 0
Cyber: Third-party Patching And The Business Footprint We All Share

Cyber: Third-party Patching And The Business Footprint We All Share

2026-02-27 0
Cyber: Security Claude Code Security Shows Promise, Not Perfection

Cyber: Security Claude Code Security Shows Promise, Not Perfection

2026-02-27 0
Cyber: Scarcruft Uses Zoho Workdrive And USB Malware To Breach Air-gapped...

Cyber: Scarcruft Uses Zoho Workdrive And USB Malware To Breach Air-gapped...

2026-02-27 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views