Ivanti Connect Secure instances that remain vulnerable to the patched stack-based buffer overflow bug, tracked as CVE-2025-0282, were reported by the Cybersecurity and Infrastructure Security Agency to have been subjected to attacks spreading the nascent RESURGE malware, according to The Hacker News.
Based on the SPAWNCHIMERA payload, RESURGE has been enhanced with self-insertion, integrity check manipulation, and file modification features, as well as the capability to establish web shells facilitating account creation, credential theft, password resets, and privilege escalation, said CISA. Further analysis of a compromised ICS device belonging to a critical infrastructure organization revealed that RESURGE contains not only a SPAWNSLOTH malware variant that enabled Ivanti device log tampering but also a custom 64-bit Linux ELF binary with an open-source shell script allowing uncompressed kernel image extraction from a compressed image. Such findings come after Chinese state-backed threat group Silk Typhoon was reported by Microsoft to have leveraged CVE-2025-0282 in attacks earlier this month.
