RESURGE: the sleeping backdoor that is hidden in Ivanti Connect Secure and only awakens to a specific connection

The U.S. Cyber Security and Infrastructure Agency (CISA) has expanded technical information on a silent threat that has been taking advantage of a critical failure on Ivanti Connect Secure devices: a malicious implant named RESURGE. This malicious software does not behave like the typical backdoor that "screams" when connecting to your command center; instead, it remains on hold within the device until the attacker starts a very specific connection, making it difficult to detect it by conventional network monitoring tools.

RESURGE is presented as a 32-bit shared bookstore for Linux - a .so file - that is installed in the affected application and adds rootkit capabilities, persistence in boot, back doors and proxy and tunnel functions. Technically, when the bookstore is loaded into the device's web process, it intercepts the accept () system call to inspect incoming TLS connections before they reach the legitimate server. Only if the connection meets a specific TLS footprint - calculated with a CRC32 scheme applied to the fingerprint - and is authenticated with a forged certificate that imitates Ivanti, the implant responds; otherwise, the traffic is delivered to the legitimate server, preserving normal functionality and reducing visible engagement signals.

In addition, subsequent remote communication is established by a mutual TLS session encrypted with elliptical curve cryptography. The implant requests the EC key of the remote operator and verifies that key with an EC certification authority code embedded in its code, allowing it to maintain an encrypted channel and difficult to distinguish from legitimate TLS or SSH traffic. This technique of mimicalism, together with the fact that the forged certificate is transmitted without encryption at a point in the protocol, offers the defenders an opportunity: this unencrypted certificate signature can serve as an indicator of commitment in network traffic if expressly sought.

The analysis published by CISA also details additional components that expand the implant's ability to hide its prints and persist in the system: a known variant of SpawnSloth (identified as liblogblock.so) designed to alter records and delete traces of malicious activity, and a script called dsmain that incorporates utilities such as extract _ vmlinux.sh and BusyBox to extract and manipulate firmware images. Thanks to these tools, attackers can even modify images of coreboot and leave modifications at startup level that survive rebeginnings or surface cleaning.

The exploited vulnerability, recorded as CVE-2025-0282, was used as zeroday since December 2024 by an actor to which some incident response firms have associated with a group linked to China (internally traced as UNC5221). The capabilities observed in previous incidents include the creation of webshells for the theft of credentials, the generation of local accounts, password relocations and the escalation of privileges, which makes the devices committed into valuable platforms for side movements and exfiltration of information.

The most operational concern is the latency and dormant of the implant: may be inactive for long periods and not show out activity until the remote operator tries to connect, so a team may seem healthy while hosting a ready-to-activate threat. This is why CISA insists that administrators not be trusted in the absence of obvious signs of commitment and use the signatures and indicators provided to search for latent infections.

For those who manage Ivanti Connect Secure and similar devices, the practical road map is to combine several measures: apply the patches and mitigations published by the supplier, compare the files and verification amounts provided by the analysis with the files present in the equipment, seek the presence of the associated bookstores and scripts, and examine the TLS traffic in search of atypical patterns (including the apocryphal certificate that, according to CISA, circulates unencrypted in the authentication phases). When there is commitment confirmation, actions may include equipment isolation, restoration from reliable images and, in critical environments, complete reconstruction of the application to remove any trace of firmware or boot manipulation.

If you want to read the extended CISA technical document, the agency published an analysis report that describes these mechanisms in more detail and provides commitment indicators: CISA report on RESURGE. CISA had also previously issued an initial alert summarizing the capabilities of malware and its persistence: prior warning of CISA. For the public reference of vulnerability, see the data sheet in the national vulnerability database: CVE-2025-0282 in NVD. The analysis and technical press reports have also covered the case and contextualize the attribution and modus operandi; for example, this journalistic summary contains the relevant key points and links: BleepingComputer on RESURGE. Finally, if you administer Ivanti products, it is appropriate to visit the official safety notice section of the supplier to apply your indications: Ivanti's security notices.

In short, RESURGE represents an evolution in intrusion techniques: less noise, greater mymetism and persistence at very low profile. The key to mitigating this type of threat is not only to park, but also to actively seek subtle signals on the network and in the systems, and to be prepared for deep mediation measures when necessary. The good news is that, with technical information already published by CISA and other entities, security teams have tools and signatures to detect and eradicate these infections if they act quickly and in a coordinated manner.