Back

CISA Issues Update on RESURGE Malware Targeting Ivanti Devices

Severity: Medium (Score: 42.4)

Sources: Cybersecuritydive, Aha, Scworld, Cisa, Linkedin

Published: 2026-02-27 · Updated: 2026-03-28

Keywords: cisa, resurge, ivanti, implant, malware, connect, secure

Severity indicators: pla, malware

Summary

CISA has released updated findings on RESURGE, a malware implant exploiting CVE-2025-0282 to compromise Ivanti Connect Secure devices. This malware can remain undetected and utilize advanced evasion techniques for covert communication with attackers. The report builds on previous findings from March 2025 regarding RESURGE's capabilities.

Source articles (11)

  • CISA Issues Updated RESURGE Malware Analysis Highlighting a Stealthy but Active Threat — Cisa · 2026-02-26
    Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock ( ) or https:// means you’ve safely connected to th…
  • New CISA guidance targets persistent RESURGE implant as Ivanti Connect Secure threat ... — Industrialcyber.Co · 2026-02-27
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an updated malware analysis report detailing new findings on RESURGE, a stealthy implant designed to exploit vulnerabilities in…
  • CISA warns that RESURGE malware can be dormant on Ivanti devices — Bleepingcomputer · 2026-02-27
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure…
  • ‘Resurge’ malware can remain undetected on devices — Cybersecuritydive · 2026-02-27
    CISA previously issued an alert attacks that exploited a vulnerability in Ivanti Connect Secure.
  • CISA warns that RESURGE malware can be dormant on Ivanti devices | The Cyber Security Hub™ — Linkedin · 2026-02-27
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details RESURGE, a malicious implant used in zero-day ...
  • CISA Warns RESURGE Malware Can Remain Dormant on Ivanti Connect Secure Devices — Thecyberexpress · 2026-03-02
    The latest update on RESURGE malware from Cybersecurity and Infrastructure Security Agency (CISA) signals a concerning reality for network defenders: stealth-focused malware is becoming harder to dete…
  • CISA Warns of RESURGE Malware Exploiting 0 — Cybersecuritynews · 2026-03-02
    A newly discovered malware variant named RESURGE is actively targeting Ivanti Connect Secure devices by exploiting a critical zero-day vulnerability, prompting the U.S. Cybersecurity and Infrastructur…
  • CISA details RESURGE malware exploiting Ivanti Connect Secure vulnerabilities — Scworld · 2026-03-02
    According to Bleeping Computer, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released updated details regarding the RESURGE malware, which has been used in zero-day attacks tar…
  • CISA Alerts On RESURGE Malware Targeting Ivanti Connect Secure Vulnerabilities — Cyberpress · 2026-03-03
    The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning the RESURGE malware targeting Ivanti Connect.
  • CISA report updates findings on RESURGE malware attacks — Aha · 2026-03-03
    The Cybersecurity and Infrastructure Security Agency Feb. 26 released a report that updates findings from last year on RESURGE malware used to gain covert access to Ivanti Connect Secure devices. The…
  • Ivanti Connect Secure devices may carry dormant RESURGE malware — Cybernews · 2026-03-04
    The Cybersecurity and Infrastructure Security Agency (CISA) is warning that RESURGE malware may still be silently embedded in Ivanti Connect ...

Timeline

  • 2025-01-08 — CVE-2025-0282 published and added to CISA KEV
  • 2025-01-10 — First public PoC for CVE-2025-0282
  • 2025-03-28 — CISA first documented RESURGE malware
  • 2026-02-27 — CISA released updated analysis on RESURGE malware

CVEs

  • CVE-2025-0282

Related entities

  • Unc5221 (Apt Group)
  • Malware (Attack Type)
  • Ivanti (Company)
  • China (Country)
  • libdsupgrade.so (Domain)
  • liblogblock.so (Domain)
  • Resurge (Malware)
  • SpawnSloth (Malware)
  • T1055 - Process Injection (Mitre Attack)
  • T1505.003 - Web Shell (Mitre Attack)
  • T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
  • Ivanti Connect Secure (Platform)
  • Linux (Platform)
  • BusyBox (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed