The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about REURGE, A stealthy, persistent malware that is now actively targeting Ivanti Connect secure VPN appliances.
The threat poses an immediate critical danger by enabling unauthorized access to both operational technology (OT) and IT networks, placing US energy infrastructure and other essential sectors in grave jeopardy.
Main Features of the RESURGE Malware
- Targeted vulnerabilities: the malware, sub-exploits, and weaknesses in Ivanti Connect Secure. It especially targets CVE-2025-0282. Researchers believe this flaw has been used as a zero-day since mid-December 2024.
- Stealth and persistence: RESURGE hides on infected devices. It does not regularly contact a command-and-control server. This approach makes it hard to detect.
Advanced Features
- Web process hooking: when running in the web process, it hooks the accept function. This allows it to intercept TLS connections and access, acting as a proxy that filters traffic.
- Remote access: When running in the dsmdm process, it sets up a statically linked libssh server. This setup gives remote command-line access.
- Covert channel: the malware components communicate through a socket file. This creates a hidden and lasting backdoor.
Reports link the exploitation of Ivanti appliances to China-linked groups, including UNC-5221.
CISA Recommendations for Defense
CISA strongly urges organizations, especially those in the energy sector, to act without delay:
- Apply patches immediately. Update Ivanti Connect Secure appliances to the latest versions now.
- Implement mitigation. Use indicators of compromise (IOCs) and detection signatures from CIS and malware analysis to identify signs of infection.
- Isolate OT systems and industrial control systems (ICS) that are not connected to the public internet.
- Deploy stronger security now. Set up phishing-resistant multi-factor authentication (MFA) for all OT network access.
CISA urgently updated its RESURGE malware analysis on February 26, 2026, highlighting how this danger continues to evolve and escalate.
The Cybersecurity and Infrastructure Security Agency has released an updated malware analysis report (MAR) with new findings on RESURGE, a sophisticated malware that exploits vulnerabilities to gain hidden SSH-based command-and-control access. The updated report provides network defenders with more technical details and better detection tools, and it includes a clear warning: RESURGE is designed to remain hidden on compromised systems and to become active only when a remote user connects. Because of this stealth, the malware can avoid routine scans and monitoring. RESURGE may still be present and undetected on Ivanti Connect secure devices, making it a real and ongoing threat to affected networks.
As America’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency is fully committed to protecting the nation’s critical infrastructure. This commitment remains even during the ongoing multi-week shutdown of the Department of Homeland Security, said CISA Acting Director Dr. Madhu Gottomukala. The vulnerabilities described in this updated malware analysis report are real risks to people, property, and essential systems. Vulnerabilities can be easily exploited through advanced network-level evasion. We felt it was necessary to give network defenders better information so they can respond more quickly to the RESURGE malware.
The first MAR released on March 28, 2025, showed that RESURGE could change files, bypass integrity checks, and install a web shell on the Ivanti book disk. The updated analysis from CISA now shows that RESURGE uses advanced network evasion and authentication methods, including strong cryptography and fake Transport Layer Security (TLS) certificates to hide its communications.
By expanding the technical details in the original malware analysis report (MAR) on research, we are equipping network defenders with a more profound, more complete understanding of this malware—along with the resources they require to identify, mitigate, and respond efficiently, said Nick Anderson, CIA, Executive Assistant Director for Cybersecurity. Our updated analysis shows that RESURGE can remain dormant and undetected on Ivanti Connect Secure devices, indicating the threat remains active.
CISA urges organizations to take immediate action: use the indicators of compromise (IOCs) and detection signals to identify RESURGE on their networks. Follow all steps outlined in the CISA mitigation instructions for CVE-2025-0282 and implement the updated recommendations in today’s report to protect against undetected threats.
Source: CISA Issues Updated RESURGE Malware Analysis Highlighting a Stealthy but Active Threat
