WASHINGTON – The Cybersecurity and Infrastructure Security Agency today released an updated Malware Analysis Report (MAR) revealing new findings on RESURGE, a highly sophisticated malware implant that exploits vulnerabilities to gain covert Secure Shell (SSH)–based command‑and‑control access. The updated analysis provides network defenders with deeper technical insights and improved detection resources, while issuing a clear warning: RESURGE is engineered to persist silently on compromised systems, remaining dormant until a remote actor connects. This stealth capability enables the malware to evade routine scans and monitoring—meaning RESURGE may still be present and undetected on Ivanti Connect Secure devices, posing an active and ongoing threat to affected networks.
“As America’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency remains fully committed to safeguarding the nation’s critical infrastructure, even during the ongoing multi‑week shutdown of the Department of Homeland Security,” said CISA Acting Director Dr. Madhu Gottumukkala. “The vulnerabilities detailed in this updated Malware Analysis Report pose real risks to people, property, and essential systems. Given the ease with which these vulnerabilities can be exploited through sophisticated network-level evasion, we determined it was imperative to provide network defenders with enhanced insights to respond faster to the RESURGE malware.”
The original MAR released on March 28, 2025, highlighted RESURGE’s ability to modify files, manipulate integrity checks and deploy a web shell to the Ivanti boot disk. CISA’s updated analysis shows that RESURGE has sophisticated network-level evasion and authentication techniques, leveraging advanced cryptographic methods and forged Transport Layer Security (TLS) certificates to facilitate covert communications.
“By expanding on the technical details in the original Malware Analysis Report (MAR) on RESURGE, we are equipping network defenders with a deeper, more complete understanding of this malware—along with the tools they need to identify, mitigate, and respond effectively,” said Nick Andersen, CISA Executive Assistant Director for Cybersecurity. “Our updated analysis shows that RESURGE can remain dormant and undetected on Ivanti Connect Secure devices, meaning the threat is very much active.”
CISA encourages organizations to use the indicators of compromise (IOCs) and detection signatures to identify RESURGE and implement the actions in CISA Mitigation Instruction for CVE-2025-0282 in addition to the update released today.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.