The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an updated malware analysis report detailing new findings on RESURGE, a stealthy implant designed to exploit vulnerabilities in Ivanti Connect Secure devices and establish covert Secure Shell-based command-and-control access. Building on its March 2025 report that highlighted RESURGE’s ability to modify files, manipulate integrity checks and deploy a web shell to the Ivanti boot disk, CISA’s updated analysis shows that RESURGE has sophisticated network-level evasion and authentication techniques, leveraging advanced cryptographic methods and forged Transport Layer Security (TLS) certificates to facilitate covert communications.
According to the agency, the updated report provides deeper technical indicators and enhanced detection guidance for network defenders. Officials warn that RESURGE is engineered for persistence, capable of remaining dormant on compromised systems until a remote operator initiates a connection. This design allows the malware to evade routine scans and monitoring, raising concerns that it may still be embedded and undetected on affected Ivanti Connect Secure appliances, posing an ongoing threat to enterprise and government networks.
“As America’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency remains fully committed to safeguarding the nation’s critical infrastructure, even during the ongoing multi‑week shutdown of the Department of Homeland Security,” Madhu Gottumukkala, CISA’s acting director, said in a Thursday media statement. “The vulnerabilities detailed in this updated Malware Analysis Report pose real risks to people, property, and essential systems. Given the ease with which these vulnerabilities can be exploited through sophisticated network-level evasion, we determined it was imperative to provide network defenders with enhanced insights to respond faster to the RESURGE malware.”
“By expanding on the technical details in the original Malware Analysis Report (MAR) on RESURGE, we are equipping network defenders with a deeper, more complete understanding of this malware—along with the tools they need to identify, mitigate, and respond effectively,” said Nick Andersen, CISA’s executive assistant director for cybersecurity. “Our updated analysis shows that RESURGE can remain dormant and undetected on Ivanti Connect Secure devices, meaning the threat is very much active.”
CISA analyzed three files obtained from a critical infrastructure’s Ivanti Connect Secure device after threat actors exploited Ivanti CVE-2025-0282 for initial access. One file, that CISA is calling RESURGE, has functionality similar to SPAWNCHIMERA in how it creates a Secure Shell (SSH) tunnel for command and control (C2). CISA’s original analysis revealed how RESURGE contains a series of commands that can modify files, manipulate integrity checks, and create a web shell that is copied to the running Ivanti boot disk.
CISA’s updated analysis shows that RESURGE employs sophisticated network-level evasion and authentication techniques, leveraging advanced cryptographic methods and forged TLS certificates to enable covert communications. The report details how the malware distinguishes between benign and malicious TLS traffic through CRC32 fingerprint hashing and uses a mutual TLS authentication process to establish attacker-controlled sessions.
It also explains how forged TLS certificates are generated and embedded within the malware to conduct stealthy interactions, noting that these fake certificates can serve as valuable network indicators for detection. The analysis further examines RESURGE’s use of elliptical curve cryptography to secure communications with operators, strengthening concealment through robust encryption.
CISA highlights identifiable network artifacts, including the forged certificates themselves, that defenders can use as detection markers. Importantly, the fake certificate is not used to encrypt traffic in the traditional sense but to authenticate and verify that a remote connection is communicating with the malware rather than a legitimate Ivanti web server, giving attackers a covert method of confirming control over a compromised device.
The second file is a variant of SPAWNSLOTH contained within the RESURGE sample. The file tampers with the Ivanti device logs. The third file is a custom embedded binary that contains an open-source shell script and a subset of applets from the open-source tool BusyBox. The open-source shell script allows for the ability to extract an uncompressed kernel image (vmlinux) from a compromised kernel image. BusyBox enables threat actors to perform various functions, such as download and execute payloads on compromised devices.
The RESURGE implant uses a passive command and control model, remaining dormant on a compromised Ivanti device until a remote operator initiates contact. It injects itself into the native Ivanti web server process, known as “web,” and monitors incoming TLS HELLO packets to distinguish legitimate traffic from malicious connections intended to activate its command and control functionality.
To make this determination, the implant applies a CRC32 fingerprint hashing scheme to specific bytes within the TLS random value of the incoming packet. If the computed and transformed hash matches expected values embedded in the same TLS HELLO message, the connection is treated as malicious and allowed to proceed to the next authentication stage. All other TLS traffic is passed to the legitimate Ivanti web server for normal processing.
If the fingerprint check succeeds, RESURGE generates its own TLS SERVER HELLO response, constructing it with randomly generated data and a similarly derived CRC32-based value designed to satisfy the operator’s verification process. This exchange enables the attacker to authenticate covertly and potentially gain full remote SSH access to the compromised device.
CISA advises users and administrators to strengthen their organization’s security posture by adopting several foundational best practices, with any configuration changes reviewed in advance to avoid unintended operational impacts.
Organizations should ensure antivirus engines and signatures are kept up to date and that operating systems are regularly patched. File and printer sharing services should be disabled unless required for business purposes, and if enabled, protected with strong passwords or Active Directory authentication. User permissions should be tightly controlled to prevent the installation or execution of unauthorized software, and accounts should not be added to the local administrators group unless necessary. A strong password policy should be enforced, with regular password changes.
CISA also urges caution when opening email attachments, even when messages appear to come from known senders. Personal firewalls should be enabled on workstations and configured to block unsolicited connection requests, and unnecessary services should be disabled on both servers and endpoints. Suspicious email attachments should be scanned and verified to ensure the file extension matches the actual file type.
In addition, organizations should monitor web browsing activity and restrict access to high-risk sites, exercise caution when using removable media such as USB drives, and scan all software downloaded from the internet before execution. Maintaining awareness of emerging threats and implementing appropriate access control lists further supports stronger defensive posture.
