The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details about RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices.

The update focuses on the implant's undetected latency on the appliances and its "sophisticated network-level evasion and authentication techniques" that enable covert communication with the attacker.

CISA originally documented the malware on March 28 last year, saying that it can survive reboots, create webshells for stealing credentials, create accounts, reset passwords, and escalate privileges.

According to researchers at incident response company Mandiant, the critical CVE-2025-0282 vulnerability was exploited as a zero-day since mid-December 2024 by a threat actor linked to China, tracked internally as UNC5221.

Network-level evasion

CISA's updated bulletin provides additional technical information on RESURGE, a malicious 32-bit Linux Shared Object file named libdsupgrade.so that was extracted from a compromised device.

The implant is described as a passive command-and-control (C2) implant with rootkit, bootkit, backdoor, dropper, proxying, and tunneling capabilities.

Instead of beaconing to the C2, it waits indefinitely for a particular inbound TLS connection, evading network monitoring, CISA says in the updated document.

When loaded under the ‘web’ process, it hooks the ‘accept()’ function to inspect incoming TLS packets before they reach the web server, looking for specific connection attempts from a remote attacker that are identified using the CRC32 TLS fingerprint hashing scheme.

If the fingerprint does not match, traffic is directed to the legitimate Ivanti server. CISA further details Rusrge's authentication mechanism saying that the threat actor also uses a fake Ivanti certificate to ensure that they are interacting with the implant and not the Ivanti web server.

The agency highlights that the certificate's purpose is just to for authentication and verification purposes, as it is not used to encrypt communication. Furthermore, the fake certificate also helps the actor evade detection by impersonating the legitimate server.

Because the forged certificate is sent unencrypted over the internet, CISA says that defenders could use it as a network signature to detect an active compromise.

After fingerprint validation and authentication with the malware, the threat actor establishes secure remote access to the implant using a Mutual TLS session encrypted with the Elliptic Curve protocol.

"Static analysis indicates the RESURGE implant will request the remote actors' EC key to utilize for encryption, and will also verify it with a hard-coded EC Certificate Authority (CA) key," CISA says.

By mimicking legitimate TLS/SSH traffic, the implant achieves stealth and persistence, the American cybersecurity agency says.

Another file analyzed is a variant of the SpawnSloth malware using the name liblogblock.so and contained by the RESURGE implant. Its main purpose is log tampering to hide malicious activity on compromised devices.

A third file that CISA analyzed is dsmain, a kernel extraction script that embeds the open-source script 'extract_vmlinux.sh' and the BusyBox collection of Unix/Linux utilities.

liblogblock.so - 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104
libdsupgrade.so - 52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda
dsmain - b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d

It allows RESURGE to decrypt, modify, and re-encrypt coreboot firmware images and manipulate filesystem contents for boot-level persistence.

“CISA’s updated analysis shows that RESURGE can remain latent on systems until a remote actor attempts to connect to the compromised device,” the agency notes. Because of this, the malicious implant "may be dormant and undetected on Ivanti Connect Secure devices and remains an active threat."

CISA suggests that system administrators use the updated indicators of compromise (IoCs) to discover dormant RESURGE infections and remove them from Ivanti devices.