CISA Warning on RESURGE Malware Exploiting Ivanti Connect Secure Zero-Day
CISA published updated technical details and warnings about RESURGE, a stealthy Linux implant used in zero-day intrusions against Ivanti Connect Secure appliances. The activity is tied to exploitation of CVE-2025-0282 (a stack-based buffer overflow) affecting Ivanti Connect Secure as well as related Policy Secure and ZTA Gateway products; exploitation was observed beginning in December 2024, and CISA later added the CVE to its Known Exploited Vulnerabilities (KEV) catalog. CISA’s analysis was based on artifacts recovered from a compromised Ivanti device at a critical infrastructure organization, indicating the malware is being used in real-world intrusions rather than as a proof-of-concept.
RESURGE is identified as a Linux shared object, libdsupgrade.so, designed for persistence and stealth, including rootkit/bootkit-like behavior and the ability to remain dormant by passively waiting for specific inbound TLS connections instead of beaconing. The implant reportedly hooks accept() to inspect inbound TLS traffic and uses a CRC32-based TLS fingerprint scheme to identify “legitimate” operator connections; reporting also notes use of a fake Ivanti certificate as an authentication artifact that can serve as a detection signature, followed by a mutually authenticated TLS session. The intrusion set also deployed a SPAWNSLOTH variant (liblogblock.so) for log tampering and a custom tool (dsmain) used to manipulate coreboot images/firmware and filesystem contents for persistence; reporting attributes the broader campaign to China-linked UNC5221 and urges defenders to apply Ivanti fixes and hunt using CISA’s updated IOCs to identify and eradicate latent infections.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA publishes updated technical details on RESURGE malware
CISA released updated technical details describing RESURGE as a Linux shared-object implant with passive command-and-control, rootkit and bootkit capabilities, and persistence through coreboot image modification. The agency also urged administrators to use updated indicators of compromise, reset credentials, and rebuild affected devices from factory reset or verified clean images.
CISA adds CVE-2025-0282 to Known Exploited Vulnerabilities catalog
CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog after confirming in-the-wild exploitation. The listing formally recognized the Ivanti Connect Secure flaw as actively exploited.
UNC5221 begins zero-day exploitation of CVE-2025-0282
Researchers assessed that the China-nexus threat actor UNC5221 began exploiting Ivanti Connect Secure vulnerability CVE-2025-0282 as a zero-day in mid-December 2024. The activity targeted Ivanti Connect Secure devices and led to intrusions at victim organizations, including critical infrastructure.
CISA observes active exploitation of Ivanti Connect Secure devices
CISA reported that active exploitation of CVE-2025-0282 against Ivanti Connect Secure devices was underway beginning in December 2024. Analysis of a compromised critical infrastructure organization uncovered the RESURGE malware along with SPAWNSLOTH log-tampering and the dsmain binary used for persistence.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Coordinated Reconnaissance and Exploitation Activity Targeting Edge VPN Appliances
CISA issued updated technical details on **RESURGE**, a stealthy implant used in zero-day intrusions of **Ivanti Connect Secure** appliances via **CVE-2025-0282**. The malware (a 32-bit Linux shared object, `libdsupgrade.so`) is designed for long-term persistence and covert access, with capabilities described as including rootkit/bootkit-style functionality, credential theft via webshells, account manipulation, privilege escalation, and tunneling/proxying. CISA highlighted that RESURGE can remain **dormant** and evade detection by acting as a *passive* C2: rather than beaconing out, it waits for specific inbound TLS connections and, when loaded under the `web` process, hooks `accept()` to inspect TLS packets and only activate on attacker-identified traffic (using a CRC32-based TLS fingerprinting approach); non-matching traffic is passed through to the legitimate service. Reporting cited Mandiant’s attribution of the early exploitation activity to a China-linked actor tracked as **UNC5221**, with zero-day exploitation reported since mid-December 2024. Separately, GreyNoise reported a large-scale **reconnaissance campaign** against **SonicWall SonicOS/SSL VPN** infrastructure (84,142 scanning sessions over several days) focused primarily on enumerating whether SSL VPN is enabled by probing a single API endpoint—behavior consistent with pre-attack target mapping rather than immediate CVE exploitation. The activity came from thousands of IPs across multiple ASNs and included heavy use of **commercial proxy** infrastructure (rotating exits) in short, concentrated bursts, a pattern GreyNoise assessed as coordinated and operationally segmented. GreyNoise assessed this recon as a precursor to credential-based intrusion and ransomware operations frequently associated with edge VPN access (citing **Akira** and **Fog** as examples), and noted broad internet exposure and a meaningful population of devices running vulnerable or unsupported firmware—conditions that increase the likelihood that reconnaissance will translate into follow-on compromise attempts.
Mar 21, 2026
UNC6201 Zero-Day Exploitation of Dell RecoverPoint for Virtual Machines (CVE-2026-22769)
Mandiant and Google Threat Intelligence Group reported **active zero-day exploitation** of a maximum-severity Dell RecoverPoint for Virtual Machines vulnerability, **CVE-2026-22769** (CVSS 10.0), attributed to **UNC6201**, a suspected PRC-nexus threat cluster. The flaw is described as a **hardcoded-credential issue** affecting versions prior to `6.0.3.1 HF1`, enabling unauthenticated attackers with knowledge of the credential to gain unauthorized access to the underlying OS and establish **root-level persistence**; exploitation has been observed since at least mid-2024. Dell has released remediations and urged customers to upgrade/apply fixes per its security advisory. Post-compromise activity observed in incident response engagements included lateral movement, persistence, and malware deployment, including **SLAYSTYLE**, **BRICKSTORM**, and a newly identified backdoor, **GRIMBOLT**. GRIMBOLT (C# with native ahead-of-time compilation) was observed replacing older BRICKSTORM binaries around September 2025 and is intended to complicate static analysis and improve performance on constrained appliances. The actor also demonstrated techniques to pivot into VMware environments, including creating **“Ghost NICs”** on VMware ESXi for stealthy network movement and using `iptables` for **Single Packet Authorization (SPA)**; initial access was not definitively confirmed, though the actor is known to target edge appliances (e.g., VPN concentrators) for entry.
Mar 20, 2026
CISA Flags VMware ESXi CVE-2025-22225 as Exploited in Ransomware Campaigns
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) updated its Known Exploited Vulnerabilities (**KEV**) catalog to indicate that **CVE-2025-22225**, a high-severity VMware ESXi *VMX sandbox escape* flaw, is now **known to be used in ransomware campaigns**. Broadcom patched the issue in March 2025 as part of advisory `VMSA-2025-0004`, describing CVE-2025-22225 as an **arbitrary kernel write** reachable by an attacker with privileges in the `VMX` process, enabling escape from the VMX sandbox to the ESXi kernel. The same advisory also addressed two other zero-days—**CVE-2025-22224** (TOCTOU leading to out-of-bounds write/code execution as the VMX process) and **CVE-2025-22226** (HGFS out-of-bounds read/memory disclosure)—which Broadcom previously tagged as actively exploited in the wild. Reporting also tied the ESXi exploitation to earlier sophisticated activity: Huntress described Chinese-speaking threat actors leveraging access via a compromised SonicWall VPN to deliver tooling targeting VMware ESXi and chaining a VM escape technique that appeared to predate public disclosure of the March 2025 ESXi zero-days. Separately, GreyNoise research highlighted a broader KEV-catalog visibility gap, finding that CISA **quietly “flipped”** dozens of KEV entries during 2025 from “Unknown” to “Known” for ransomware use without prominent public notification—an approach that can materially affect enterprise prioritization when a vulnerability’s status changes to confirmed ransomware exploitation.
Mar 21, 2026