The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published fresh technical insights into RESURGE, a malicious implant leveraged in zero-day attacks targeting Ivanti Connect Secure appliances through the vulnerability tracked as CVE-2025-0282.
The latest advisory highlights the implant’s ability to remain undetected on affected systems for extended periods. According to CISA, the malware employs advanced network-level evasion and authentication mechanisms that allow attackers to maintain hidden communication channels with compromised devices.
CISA first reported the malware on March 28 last year, noting that it can persist even after system reboots. The implant is capable of creating web shells to harvest credentials, generating new accounts, resetting passwords, and escalating privileges on affected systems.
Security researchers at incident response firm Mandiant revealed that the critical CVE-2025-0282 flaw had been actively exploited as a zero-day vulnerability since mid-December 2024. The campaign has been linked to a China-associated threat actor identified internally as UNC5221.
Network-level evasion techniques
In the updated bulletin, CISA shared additional technical details about the implant. The malware is a 32-bit Linux shared object file named libdsupgrade.so that was recovered from a compromised Ivanti device.
RESURGE functions as a passive command-and-control (C2) implant with multiple capabilities, including rootkit, bootkit, backdoor, dropper, proxying, and tunneling functions.
Unlike typical malware that regularly sends signals to its command server, RESURGE remains idle until it receives a specific inbound TLS connection from an attacker. This behavior helps it avoid detection by traditional network monitoring systems.
When loaded within the ‘web’ process, the implant intercepts the ‘accept()’ function to inspect incoming TLS packets before they reach the web server. It searches for particular connection patterns originating from remote attackers using a CRC32 TLS fingerprint hashing method.
If the fingerprint does not match the expected pattern, the traffic is redirected to the legitimate Ivanti server. CISA also explained that the attackers rely on a fake Ivanti certificate to confirm that they are interacting with the malware implant rather than the genuine web server.
The agency noted that the forged certificate is used strictly for authentication and verification purposes and does not encrypt communication. However, it also helps attackers evade detection by impersonating the legitimate Ivanti service.
Because the fake certificate is transmitted over the internet without encryption, CISA said defenders can potentially use it as a network signature to identify ongoing compromises.
Once the fingerprint verification and authent
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: