In January 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a comprehensive analysis of the Resurge malware, a variant of the SpawnChimera family, which was utilized in attacks exploiting a critical zero-day vulnerability in Ivanti Connect Secure (ICS) devices. This vulnerability, identified as CVE-2025-0282 with a CVSS score of 9.0, is a stack-based buffer overflow that allows unauthenticated remote attackers to execute arbitrary code on affected systems.
Discovery and Exploitation
Ivanti disclosed the vulnerability on January 8, 2025, acknowledging active exploitation in the wild. The following day, cybersecurity firm Mandiant reported that a China-linked espionage group, designated UNC5221, had been exploiting CVE-2025-0282 since at least December 2024. This group has a history of targeting Ivanti VPN vulnerabilities to deploy malware from the Spawn family, including components like SpawnAnt (installer), SpawnMole (tunneler), and SpawnSnail (SSH backdoor).
Evolution of the Spawn Malware Family
On February 20, 2025, the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) revealed that multiple threat actors were targeting CVE-2025-0282, employing an evolved variant of the Spawn malware family known as SpawnChimera. This variant integrates updated versions of SpawnAnt, SpawnMole, and SpawnSnail, and introduces the capability to inject itself into various processes, ensuring persistent execution. Notably, SpawnChimera includes a function to patch the CVE-2025-0282 vulnerability, potentially to prevent other attackers from exploiting the same flaw.
CISA’s Analysis of Resurge Malware
On March 28, 2025, CISA published its analysis of a malware sample collected from an instance of CVE-2025-0282 exploitation, which it named Resurge. This malware was deployed on compromised ICS devices as a Linux shared library file named ‘libdsupgrade.so’. Resurge exhibits multifaceted capabilities, functioning as a rootkit, dropper, backdoor, bootkit, proxy, and tunneler. While sharing similarities with SpawnChimera, Resurge includes additional commands that modify system files and manipulate internal processes to maintain persistence and evade detection.
Technical Capabilities of Resurge
Resurge’s comprehensive functionality allows attackers to establish and maintain unauthorized access to compromised systems. Its rootkit capabilities enable it to hide its presence, while the dropper function facilitates the installation of additional malicious payloads. As a backdoor, Resurge provides remote control over the infected device, and its bootkit features ensure it remains active even after system reboots. The proxy and tunneler components allow attackers to route malicious traffic through the compromised device, potentially using it as a pivot point to access other network resources.
Implications for Cybersecurity
The exploitation of CVE-2025-0282 and the deployment of sophisticated malware like Resurge underscore the persistent threats posed by state-sponsored actors targeting critical infrastructure. Organizations utilizing Ivanti Connect Secure devices are urged to apply the latest patches promptly and to conduct thorough security assessments to detect any signs of compromise. Implementing robust monitoring and incident response strategies is essential to mitigate the risks associated with such advanced persistent threats.
Conclusion
CISA’s detailed analysis of the Resurge malware highlights the evolving tactics of cyber adversaries and the importance of proactive cybersecurity measures. By understanding the mechanisms employed in these attacks, organizations can better defend against similar threats in the future.
