The US Cybersecurity and Infrastructure Security Agency (CISA) is shedding light on new malware called Resurfaced It is being deployed as part of an exploitation effort targeting current patched security flaws in Ivanti Connect Secure (ICS) appliances.
“Resurge includes features of the Spawnchimera malware variant, including a surviving reboot. However, the resurrection includes distinctive commands that change its behavior,” the agency said. “The file contains the features of rootkit, dropper, backdoor, bootkit, proxy, and tunneler.”
The security vulnerability related to malware deployment is CVE-2025-0282, a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways.
It affects the next version –
- SECURE before Ivanti Connect version 22.7R2.5
- Ivanti policy is safe before version 22.7R1.2
- Ivanti Neurons for ZTA Gateways before version 22.7R2.3
According to Mandiant, owned by Google, CVE-2025-0282 has been weaponized to provide what is called the spawn ecosystem of malware, consisting of several components such as spawns, spawn malls, and spawns nails. The use of spawns is attributed to a Chinese and Nexus spy group called UNC5337.
Last month, JPCERT/CC revealed that it was used to provide an updated version of Spawn, known as SpawnChimera, which combines all the aforementioned different modules into one monolithic malware, and incorporates changes to facilitate inter-process communications through UNIX Domain sockets.
Most notably, the revised variant had the capability of the CVE-2025-0282 patch to prevent other malicious actors from exploiting it for their campaign.
Resurge (“libdsupgrade.so”), an improvement over Spawnchimera, which supports three new commands per CISA.
- Insert yourself into “ld.so.preload”, set up a web shell, manipulate integrity checks, modify files
- Make your web shells available to harvest credentials, create accounts, reset passwords, and escalate privileges
- Copy the web shell to the boot disk running Ivanti and manipulate the running CoreBoot image
CISA said it unearthed two other artifacts from ICS devices in unspecified critical infrastructure entities. It is included in the SPAWNSLOTH (“liblogblock.so”) variant and revived and custom-made 64-bit Linux elf binary (“dsmain”).
“The tamper with the (Spawnsloth variant) Ivanti devices recorded will be recorded,” he said. “The third file is a custom built-in binary that contains a subset of applets from the open source shell script and the open source tool Busybox. The open source shell script allows the ability to extract uncompressed kernel images (VMlinux) from reduced kernel images.”
It is worth noting that CVE-2025-0282 is also being used as a zero day by another China-related threat group tracked as silk type (formerly Hafnium), revealed by Microsoft, revealed earlier this month.
The latest findings show that the threat actors behind the malware are actively refined and recreated, and it is essential for organizations to patch their Ivanti instances to the latest version.
As a further mitigation, we recommend resetting credentials for privileged and undeserved accounts, rotating passwords for all domain users and all local accounts, checking access policies to temporarily revoke privileges on affected devices, resetting relevant account entitlements or access keys, and monitoring your account for signs of anonymous activity.
