Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

‘Resurge’ malware can remain undetected on devices

CISA previously warned about attacks that exploited a vulnerability in Ivanti Connect Secure.

Published Feb. 27, 2026 Updated an hour ago
David Jones's headshot
Reporter
Cyberattack and internet crime, hacking and malware concepts.
Getty Images

The Cybersecurity and Infrastructure Security Agency on Thursday warned that a malware variant previously used in attacks against Ivanti Connect Secure environments may remain undetected on systems. 

In March 2025, CISA issued an alert about the malware, dubbed Resurge, in connection with exploitation of CVE-2025-0282, a stack-based buffer overflow vulnerability in certain versions of Ivanti Connect Secure and other Ivanti products. 

The agency has since analyzed three samples from a critical infrastructure provider’s Ivanti Connect Secure device after hackers exploited the flaw to gain initial access. The analysis shows that Resurge can remain latent on a device until a remote hacker attempts to contact the device. 

As a result, CISA is urging security teams to check for possible compromise, amid concerns they have been undetected on a larger scale. 

Mandiant researchers in January 2025 identified a China-nexus threat actor exploiting CVE-2025-0282. That group was tracked as UNC5337. Researchers suspect the group had links to UNC5221, which was associated with exploitation of Ivanti vulnerabilities in 2024.

The first of the three files, which is called Resurge, has similar functions to a malware called Spawnchimera, according to CISA. A Secure Shell tunnel is created for command-and-control purposes. The 2025 analysis showed how Resurge includes commands that enable file modification, integrity check manipulation and creation of web shells that are copied to an Ivanti boot disk, according to the CISA advisory.

The second file is a variant of Spawnsloth, which tampers with Ivanti device logs. The third file is a binary that has a shell script and a subset of applets from an open-source tool called BusyBox. Hackers can exploit the tool to download and execute payloads on a compromised device, according to CISA.

The malware can remain undetected on a system until a threat actor initiates a connection with the compromised device, a CISA spokesperson told Cybersecurity Dive. 

CISA does not know of other CVEs being exploited in these attacks, nor is it aware of the malware being used in attacks against other environments. 

Jeff Pollard, a vice president and principal analyst at Forrester, said the overall threat to edge devices is not a unique concern, but the level of persistence and stealth stands out. 

“That combination causes so much friction for defenders, who might believe they’ve remediated the issue even though the implant remains in the environment.” Pollard told Cybersecurity Dive. “And since log data can’t be trusted, they might not know.”  

Editor’s note: Adds comments from Forrester, additional comment from CISA.

Filed Under: Vulnerability, Threats

Editors' picks

Company Announcements

View all | Post a press release
100 Telcos, 1.6 Billion Users, 700 % Growth – Whalebone to Become the Fastest-Growing Cybersec…
From Whalebone
February 09, 2026
Whalebone logo
EC-Council Expands AI Certification Portfolio to Strengthen U.S. AI Workforce Readiness and Se…
From EC-Council
February 11, 2026
EC-Council logo
CyberFOX Named a 2026 Best Place to Work by the Tampa Bay Business Journal
From CyberFOX
February 24, 2026
CyberFOX logo
AU10TIX Enters a New Phase to Support Enterprises Navigating Risk and Regulatory Complexity
From AU10TIX
February 25, 2026
AU10TIX logo
Editors' picks
Latest in Vulnerability
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell