CISA has published a Malware Analysis Report (MAR) with analysis and associated detection signatures on a new malware variant CISA has identified as RESURGE. RESURGE contains capabilities of the SPAWNCHIMERA[1] malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior. These commands:
- Create a web shell, manipulate integrity checks, and modify files.
- Enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions.
- Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image.
RESURGE is associated with the exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances. CVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog on January 8, 2025.
For more information on the abovementioned malware variants and YARA rules for detection, see: MAR-25993211.R1.V1.CLEAR.
For a downloadable copy of the SIGMA rule associated with this MAR, see: AR25-087A SIGMA YAML.
CISA urges users and administrators to implement the following actions in addition to the Mitigation Instructions for CVE-2025-0282:
- For the highest level of confidence, conduct a factory reset.
- For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device.
- See Ivanti’s Recommended Recovery Steps for more information, including how to conduct a factory reset.
- Reset credentials of privileged and non-privileged accounts.
- Reset passwords for all domain users and all local accounts, such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. The krbtgt account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. The krbtgt account should be reset twice because the account has a two-password history. The first account reset for the krbtgt needs to be allowed to replicate prior to the second reset to avoid any issues. See CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise for more information. Although tailored to Federal Civilian Executive Branch (FCEB) agencies compromised in the 2020 SolarWinds Orion supply chain compromise, the steps are applicable to organizations with Windows AD compromise.
- Review access policies to temporarily revoke privileges/access for affected devices. If it is necessary to not alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for affected accounts/devices to “contain” them.
- Reset the relevant account credentials or access keys if the investigation finds the threat actor’s access is limited to non-elevated permissions.
- Monitor related accounts, especially administrative accounts, for any further signs of unauthorized access.
Organizations should report incidents and anomalous activity related to information found in the malware analysis report to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. Malware submissions can be made directly to Malware Nextgen at https://malware.cisa.gov.
See the following resources for more guidance:
