Do Son 
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published new technical insights into a sophisticated piece of malware known as RESURGE, which is deployed in the exploitation of the CVE-2025-0282 vulnerability found in Ivanti Connect Secure appliances. This vulnerability, now patched, is a stack overflow flaw that enables remote code execution on compromised systems.
RESURGE, an evolved variant of the previously known malware SPAWNCHIMERA, introduces enhanced capabilities designed for persistence and stealthy system control. It takes the form of a shared object named libdsupgrade.so and operates as a multifunctional implant—acting simultaneously as a rootkit, loader, backdoor, bootkit, proxy, and tunneling agent.
According to CISA, one of RESURGE’s most notable features is its ability to survive system reboots and to embed itself invisibly into critical processes. It leverages techniques such as modifying ld.so.preload, implanting web shells, tampering with core system files, and subverting integrity-checking mechanisms.
The malware’s web shell capabilities enable credential theft, user creation, password resets, and privilege escalation. Furthermore, RESURGE can replicate itself onto the device’s boot disk and interfere with the coreboot firmware image—enhancing its resilience and making its removal particularly arduous.
CISA discovered RESURGE within the infrastructure of a critical facility, alongside two additional malicious artifacts. The first, a modified version of SPAWNSLOTH (liblogblock.so), is embedded within RESURGE and manipulates logging functions on Ivanti devices. The second, an executable named dsmain, is a 64-bit Linux binary bundling shell scripts and BusyBox utilities. This tool facilitates the extraction of the vmlinux kernel image from compromised systems, enabling deeper inspection and manipulation of the operating environment.
According to cybersecurity firm Mandiant, CVE-2025-0282 is being actively exploited by the Chinese cyber-espionage group UNC5337. This group is believed to be behind the broader SPAWN malware ecosystem, which includes variants such as SPAWNANT, SPAWNMOLE, and SPAWNSNAIL—all of which have since been consolidated into the monolithic malware known as SPAWNCHIMERA. RESURGE represents the next generation in this lineage.
Remarkably, SPAWNCHIMERA contains built-in functionality to patch CVE-2025-0282 immediately after exploitation, effectively locking out rival threat actors and preserving exclusive access to the compromised system. In this way, the malware not only infiltrates but also fortifies its position within the host environment.
Earlier in March, Microsoft reported that CVE-2025-0282 had also been weaponized by another Chinese APT group—Silk Typhoon, formerly known as Hafnium—highlighting the vulnerability’s appeal across multiple state-linked threat actors.
CISA urges the immediate upgrade of all vulnerable Ivanti systems: Connect Secure should be updated to version 22.7R2.5, Policy Secure to 22.7R1.2, and Neurons for ZTA to 22.7R2.3. The agency also recommends resetting all user and administrator credentials, auditing access permissions, temporarily reducing privileges on impacted devices, rotating authentication keys, and maintaining heightened vigilance through system activity monitoring.
