icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

RESURGE Malware Exploits Ivanti Flaw with Rootkit and Web Shell Features

Summary:
CISA has identified a new malware strain named RESURGE targeting the patched vulnerability CVE-2025-0282 in Ivanti Connect Secure (ICS) appliances. RESURGE is an improved version of the SPAWNCHIMERA malware, retaining its reboot persistence mechanisms but introducing 3 distinct commands for malware behavior modification. This encompassing malware possesses rootkit, dropper, backdoor, bootkit, proxy, and tunneler capabilities. The vulnerability, a stack-based buffer overflow, affects specific versions of Ivanti Connect Secure, Policy Secure, and ZTA Gateways, potentially leading to remote code execution. Mandiant links the exploitation of CVE-2025-0282 to the China-nexus espionage group UNC5337, which deploys the SPAWN malware ecosystem compromised of several components. RESURGE incorporates 3 new commands to insert itself into "ld.so.preload," establish web shells for various malicious activities, including credential harvesting and privilege escalation, manipulate the boot disk and coreboot image, and manipulate integrity checks. CISA also discovered a variant of SPAWNSLOTH within RESURGE, designed to tamper with Ivanti device logs, and a custom binary capable of extracting uncompressed kernel images. Notably, CVE-2025-0282 was also exploited as a zero-day by the China-linked group Silk Typhoon.

Security Officer Comments:
The emergence of RESURGE underscores the persistent nature of China-nexus operations targeting critical infrastructure. This new malware, building upon the capabilities of SPAWNCHIMERA and incorporating novel exploitation techniques, demonstrates the sophistication of state-sponsored actors like UNC5337. The ability of RESURGE to manipulate core system components, establish persistent web shells, and even tamper with logging mechanisms highlights the potential for long-term, stealthy compromise. Furthermore, the fact that CVE-2025-0282 was also exploited as a zero-day by a separate threat actor, Silk Typhoon, emphasizes the critical need for organizations to apply security patches promptly. The continuous refinement of malware like RESURGE and the adversary’s exploitation of a critical patched vulnerability emphasize the importance of proactive defense measures.

Suggested Corrections:
IOCs:
https://www.cisa.gov/news-events/analysis-reports/ar25-087a

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
Link(s):
https://thehackernews.com/2025/03/resurge-malware-exploits-ivanti-flaw.html

https://www.cisa.gov/news-events/al...urge-malware-associated-ivanti-connect-secure

https://www.cisa.gov/news-events/analysis-reports/ar25-087a

Contact Us for Threat Assistance
Back to Current Threats