RESURGE Malware Exploits Ivanti Connect Secure CVE-2025-0282 Vulnerability

What Is RESURGE Malware?

RESURGE is a 32-bit Linux shared object file that functions simultaneously as a backdoor, dropper, rootkit, and trojan. It is designed specifically for compromised Ivanti appliances and distinguishes itself through a fully passive command and control architecture. Unlike conventional implants that beacon to external servers and generate detectable outbound traffic, RESURGE remains silent. It does not initiate network connections. Instead, it embeds itself directly into Ivanti's native web server process, known as web, using process injection. From there, it monitors incoming TLS connections and activates only when it receives specially crafted traffic from an operator. During its dormant state, it produces no anomalous outbound activity, making detection through network monitoring significantly more difficult.

Passive Command and Control Architecture

RESURGE's behavior depends on the process into which it is loaded. When injected into the web process, it hooks the accept function to intercept and inspect all inbound TLS connections. It then applies a CRC32-based fingerprinting mechanism to differentiate operator traffic from legitimate user traffic. If loaded under the dsmdm process, RESURGE deploys a statically linked libssh server that enables remote command line access. Instead of binding to a visible network port, it communicates through a Unix domain socket located at /home/runtime/tmp/.logsrv. This design avoids exposure through traditional port scanning and establishes a covert internal communication channel between components.

Covert Authentication and TLS Manipulation

The malware uses a sophisticated authentication mechanism embedded within the TLS handshake. When a ClientHello message is received, RESURGE calculates a CRC32 hash and compares it with a predefined value. A match indicates operator traffic, triggering routing to the covert channel. If the values do not match, the connection is forwarded transparently to the legitimate Ivanti web server. To external observers, all TLS sessions appear normal.

Once an operator is verified, RESURGE sends a forged TLS SERVER HELLO packet containing a fake certificate. This certificate is not legitimate and serves as an operator-side confirmation that the malware has been reached. Because it is transmitted during the handshake phase, it can also function as a network detection artifact. After this exchange, the operator establishes a genuine mutual TLS session using Elliptic Curve Cryptography over the P-521 curve to secure subsequent command execution.

Persistence and Anti-Forensic Capabilities

Beyond remote access, RESURGE includes advanced persistence and evasion mechanisms. One command set inserts the malware into ld.so.preload to ensure automatic loading at system startup. It also deploys a web shell within the Ivanti CGI file compcheckresult.cgi and manipulates the device's integrity checker by recalculating and replacing file hashes in the manifest to conceal modifications.

A second command set targets the Ivanti coreboot RAM disk. The malware decrypts the disk image, injects malicious components, re-encrypts it, and replaces the original image. This achieves boot-level persistence capable of surviving reboots and potentially factory resets.

A third command set modifies the Python-based integrity scanning scripts scanner.py and scanner_legacy.py to suppress mismatch detection, preventing the device's built-in security controls from identifying tampering.

Log Manipulation and Embedded Tooling

RESURGE also contains an embedded module named liblogblock.so, derived from the SPAWNSLOTH malware family. This component hooks the Ivanti dslogserver process at runtime using the Funchook library to intercept and manipulate log writing operations. By suppressing or altering log entries, it removes forensic evidence of malicious activity.

An additional bundled file, dsmain, is a 64-bit Linux ELF binary that includes the BusyBox toolkit and a shell script for extracting uncompressed kernel images. This toolkit provides the operator with extensive Unix utilities for file manipulation, compression, downloading, and system modification. It also supports the kernel-level operations required to decrypt and modify the coreboot image during the boot persistence process.

Ivanti CVE-2025-0282 Vulnerability Explained

CVE-2025-0282 is a critical stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. The vulnerability has a CVSS score of 9.0 (Critical) and was disclosed on January 8, 2025, alongside reports of active exploitation in the wild. A public proof of concept was released shortly afterward, further increasing the risk of widespread abuse.

The vulnerability allows unauthenticated remote code execution. An attacker with network access to an exposed appliance can send a specially crafted request that triggers the overflow and executes arbitrary code without valid credentials. Because these products are internet-facing remote access gateways, the flaw provides a direct path into enterprise networks, placing it among the most severe categories of security vulnerabilities.

A related issue, CVE-2025-0283, was disclosed at the same time. Although it also involves a stack-based buffer overflow, it requires authentication and enables privilege escalation rather than initial access.

How the Ivanti CVE-2025-0282 Exploit Works

CVE-2025-0282 originates from a flaw in how Ivanti Connect Secure and related products process IFT protocol connections [2]. The vulnerability is a stack-based buffer overflow caused by improper bounds checking when handling IFT packets from unauthenticated clients. The appliance fails to correctly validate the size and structure of certain fields before copying them into fixed-length stack buffers. As a result, a specially crafted request can overwrite memory on the stack, corrupt execution flow, and enable arbitrary code execution. Because this vulnerable component processes network traffic prior to authentication, attackers do not need valid credentials. The flaw exists in an internet-facing VPN service, making it both remotely reachable and highly impactful.

Exploitation typically begins with attackers identifying internet-exposed Ivanti appliances and sending crafted IFT requests designed to trigger the overflow. Incident response investigations observed repeated "Invalid IFT packet received from unauthenticated client" log entries before successful compromise, often originating from Tor exit nodes and commercial VPN infrastructure. Once the overflow is successfully triggered, attackers gain unauthenticated remote code execution on the appliance. This effectively converts the VPN gateway into a controlled foothold at the network perimeter.

After achieving unauthenticated remote code execution through CVE-2025-0282, attackers can deploy the RESURGE malware directly onto the compromised Ivanti appliance. The vulnerability provides the entry point, but RESURGE ensures continued control, stealth, and reentry capability even after the initial exploitation activity subsides.

How Picus Helps Simulate RESURGE Malware Attacks?

We also strongly suggest simulating the RESURGE malware attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other malware attacks, such as BRICKSTORM, SPAWNSLOTH, and Lumma, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for RESURGE malware attacks:

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address RESURGE malware attacks in preventive security controls. Currently, Picus Labs has validated the following signatures for RESURGE malware:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of the Picus Security Validation Platform.

References

[1] "Website." Available: https://www.cisa.gov/news-events/analysis-reports/ar25-087a

[2] Unit, "Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated March 11)," Unit 42, Jan. 16, 2025. Available: https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2025-0282-cve-2025-0283/