RESURGE
RESURGE is a malware implant targeting Ivanti Connect Secure appliances, associated with exploitation of CVE-2025-0282 in zero-day attacks. CISA describes it as a 32-bit Linux shared object named libdsupgrade.so and assesses it as a passive command-and-control implant with rootkit, bootkit, backdoor, dropper, proxying, and tunneling capabilities. It builds on SPAWNCHIMERA functionality, including reboot persistence, and adds commands that enable file modification, integrity-check manipulation, web shell creation, credential harvesting, account creation, password resets, and privilege escalation.
RESURGE is designed for stealth and persistence on compromised Ivanti devices. It can survive reboots, insert itself via ld.so.preload for early loading, copy a web shell to the Ivanti boot disk, and modify the running coreboot image for boot-level persistence. CISA states it does not beacon; instead, it remains dormant until it receives a specific inbound TLS connection. When injected into the native Ivanti web server process ("web"), it hooks accept() to inspect incoming TLS traffic, uses a CRC32-based TLS fingerprinting scheme to distinguish operator traffic from benign traffic, forwards non-matching traffic to the legitimate Ivanti server, and uses forged/fake Ivanti TLS certificates for operator verification. After validation, it establishes attacker access using mutual TLS with elliptic-curve cryptography and can mimic legitimate TLS/SSH traffic for covert communications.
Associated tooling observed with RESURGE includes a SPAWNSLOTH variant, liblogblock.so, used for log tampering on Ivanti devices, and a custom binary/script named dsmain that can extract kernel images and support decryption, modification, and re-encryption of coreboot firmware images and filesystem contents. CISA warns RESURGE may remain latent and undetected on affected Ivanti Connect Secure devices until a remote actor initiates contact. The activity has been linked in reporting to China-linked threat actor UNC5221. High-confidence indicators mentioned in the content include the filenames libdsupgrade.so, liblogblock.so, and dsmain, as well as forged Ivanti certificates that CISA says can serve as network detection signatures.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"...installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024..."; "CVE-2025-0282 refers to a critical security flaw in ICS that could allow unauthenticated remote code execution. It was addressed by Ivanti in early January 2025." | deliver updated versions of SPAWN called SPAWNCHIMERA and RESURGE.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
SPAWNWAVE overlaps with the publicly reported SPAWNCHIMERA and RESURGE malware families.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
3 techniques
Execution
"The main attack vector is CVE-2025-0282, a stack-based buffer overflow vulnerability that affects Ivanti Connect Secure, Policy Secure, and ZTA Gateways."
Persistence
8 techniques
Persistence
“…web shells for credential harvesting, account creation, password resets, and escalating permissions.”
"...decrypt, modify, and re-encrypt coreboot firmware images... and manipulate filesystem contents for boot-level persistence."
"It allows RESURGE to decrypt, modify, and re-encrypt coreboot firmware images... and manipulate filesystem contents for boot-level persistence."
Privilege Escalation
3 techniques
Privilege Escalation
Stealth
11 techniques
Stealth
"the threat actor also uses a fake Ivanti certificate... the fake certificate also helps the actor evade detection by impersonating the legitimate server."
"It injects itself into the native Ivanti web server process, known as “web,” and monitors incoming TLS HELLO packets..."
"...variant of the SpawnSloth malware... Its main purpose is log tampering to hide malicious activity..."
"The implant also utilizes a variant of SpawnSloth malware (liblogblock.so) for log tampering..."
"variant of the SpawnSloth malware... Its main purpose is log tampering to hide malicious activity"
"...decrypt, modify, and re-encrypt coreboot firmware images... and manipulate filesystem contents for boot-level persistence."
"It allows RESURGE to decrypt, modify, and re-encrypt coreboot firmware images... and manipulate filesystem contents for boot-level persistence."
“Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image.”
Defense Impairment
3 techniques
Defense Impairment
"...RESURGE uses forged TLS certificates and a CRC32 fingerprint hashing scheme to separate ordinary traffic from attacker commands."
Credential Access
3 techniques
Credential Access
Discovery
1 technique
Discovery
Command and Control
8 techniques
Command and Control
"...leveraging advanced cryptographic methods and forged TLS certificates to enable covert communications... monitors incoming TLS HELLO packets... CRC32 fingerprint hashing... mutual TLS authentication..."
"After fingerprint validation and authentication with the malware, the threat actor establishes secure remote access to the implant using a Mutual TLS session encrypted with the Elliptic Curve protocol."
"The implant is described as a passive command-and-control (C2) implant with rootkit, bootkit, backdoor, dropper, proxying, and tunneling capabilities."
"Instead of beaconing to the C2, it waits indefinitely for a particular inbound TLS connection..."
"BusyBox enables threat actors to perform various functions, such as download and execute payloads on compromised devices."
"...RESURGE...creates a Secure Shell (SSH) tunnel for command and control (C2)."
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Linux shared-object implant for Ivanti Connect Secure that provides stealthy passive command-and-control by waiting for specific inbound TLS connections (rather than beaconing), includes rootkit/bootkit-like capabilities, and supports persistence and evasion (including log tampering via related tooling).
Linux shared-object implant (libdsupgrade.so) used on Ivanti Connect Secure devices. Operates as a passive C2 by hooking accept() and waiting for specific inbound TLS connections (no active beaconing). Uses CRC32-based TLS fingerprinting and a fake Ivanti certificate for authentication, then establishes mutual TLS with elliptic-curve encryption. Supports stealth/persistence via log tampering and firmware/filesystem manipulation (coreboot).
Malware deployed post-exploitation on Ivanti Connect Secure appliances; features network-level evasion, advanced cryptography, forged TLS certificates, covert comms, and can remain dormant until contacted by an operator.
Malware deployed on Ivanti Connect Secure appliances post-exploitation; described as using network-level evasion and authentication techniques, advanced cryptography, and forged TLS certificates, and capable of remaining dormant until contacted by the operator.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.