The Cybersecurity and Infrastructure Security Agency warned that Ivanti Connect Secure instances that remain vulnerable to the patched stack-based buffer overflow bug, tracked as CVE-2025-0282, were subjected to attacks spreading the nascent RESURGE malware, according to The Hacker News.
Based on the SPAWNCHIMERA payload, RESURGE has been enhanced with self-insertion, integrity check manipulation, and file modification features, as well as the capability to establish web shells facilitating account creation, credential theft, password resets, and privilege escalation, said CISA.
Further analysis of a compromised ICS device belonging to a critical infrastructure organization revealed that RESURGE contains not only a SPAWNSLOTH malware variant that enabled Ivanti device log tampering but also a custom 64-bit Linux ELF binary with an open-source shell script allowing uncompressed kernel image extraction from a compressed image.
These findings come after Microsoft reported that Chinese state-backed threat group Silk Typhoon leveraged CVE-2025-0282 in attacks earlier this month.
