CISA Releases Malware Report On RESURGE Malware

On Friday March 28, 2025 CISA released a report with analysis of a new malware variant CISA has identified and named as RESURGE. RESURGE is a persistent malware that shares similar characteristics to the malware SPAWNCHIMERA. Review the information below that is directly from CISA to learn more about RESURGE, its capabilities, and attack vectors.

CISA has published a Malware Analysis Report (MAR) with analysis and associated detection signatures on a new malware variant CISA has identified as RESURGE. RESURGE contains capabilities of the SPAWNCHIMERA[1] malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior. These commands:

• Create a web shell, manipulate integrity checks, and modify files.
• Enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions.
• Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image.

RESURGE is associated with the exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances. CVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog on January 8, 2025.

For more information on the abovementioned malware variants and YARA rules for detection, see: MAR-25993211.R1.V1.CLEAR.

For a downloadable copy of the SIGMA rule associated with this MAR, see: AR25-087A SIGMA YAML.

CISA urges users and administrators to implement the following actions in addition to the Mitigation Instructions for CVE-2025-0282:

• For the highest level of confidence, conduct a factory reset.
  • For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device.
• See Ivanti’s Recommended Recovery Steps for more information, including how to conduct a factory reset.
• Reset credentials of privileged and non-privileged accounts.
• Reset passwords for all domain users and all local accounts, such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. The krbtgt account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. The krbtgt account should be reset twice because the account has a two-password history. The first account reset for the krbtgt needs to be allowed to replicate prior to the second reset to avoid any issues. See CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise for more information. Although tailored to Federal Civilian Executive Branch (FCEB) agencies compromised in the 2020 SolarWinds Orion supply chain compromise, the steps are applicable to organizations with Windows AD compromise.
• Review access policies to temporarily revoke privileges/access for affected devices. If it is necessary to not alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for affected accounts/devices to “contain” them.
• Reset the relevant account credentials or access keys if the investigation finds the threat actor’s access is limited to non-elevated permissions.
• Monitor related accounts, especially administrative accounts, for any further signs of unauthorized access.

Organizations should report incidents and anomalous activity related to information found in the malware analysis report to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. Malware submissions can be made directly to Malware Nextgen at https://malware.cisa.gov.

See the following resources for more guidance:

• Ivanti: Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)

This product is provided subject to this Notification and this Privacy & Use policy.

Please visit https://www.cisa.gov/news-events/alerts/2025/03/28/cisa-releases-malware-analysis-report-resurge-malware-associated-ivanti-connect-secure for access the original content and all links associated with this article.

DefenseStorm Recommendations 

Continuous research is being conducted for all newly discovered or recurring malware and ransomware. As always, DefenseStorm recommends the following practices to help secure your environment:

• Continued internal training for phishing campaigns
• Block threat indicators at their respective controls
• Keep all systems and software updated to the latest patched versions to best protect against all known security vulnerabilities
• Maintain a strong password policy
• Enable multi-factor authentication
• Regularly back up data, air gap, and password backup copies offline
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location
• Use app hardening
• Restrict administrative access

References:

https://www.cisa.gov/news-events/alerts/2025/03/28/cisa-releases-malware-analysis-report-resurge-malware-associated-ivanti-connect-secure