CISA: RESURGE Malware Can Remain Dormant on Ivanti Devices

CISA released an updated malware analysis report revealing that RESURGE, the implant deployed through Ivanti Connect Secure zero-day exploitation, can remain latent on compromised devices until attackers choose to reconnect. The February 26 update to the original March 2025 report adds technical depth on the malware's evasion capabilities and persistence mechanisms.

The finding has troubling implications. Organizations that patched CVE-2025-0282 without thorough forensic investigation may still harbor dormant RESURGE infections waiting for remote activation. The malware's design prioritizes stealth over immediate command execution, making detection exceptionally difficult.

What CISA's Update Reveals

The updated analysis builds on CISA's original RESURGE report from March 2025. Key additions include:

Dormancy Capability: RESURGE can sit inactive on devices until a remote operator attempts connection. This differs from typical implants that beacon regularly to C2 infrastructure. The dormant state generates no network traffic, evading monitoring tools that rely on connection anomalies.

Advanced TLS Forgery: The malware leverages cryptographic methods to forge Transport Layer Security certificates, enabling covert communications that appear legitimate. Network-level detection becomes significantly harder when traffic uses properly formed certificates.

Network-Level Evasion: Beyond certificate forgery, RESURGE implements sophisticated techniques to blend malicious traffic with normal device operations. The implant manipulates Ivanti's boot disk to ensure persistence survives reboots and standard remediation steps.

Technical Architecture

RESURGE, identified on disk as libdsupgrade.so, functions as multiple threat categories simultaneously:

• Rootkit: Hides its presence from system tools
• Dropper: Deploys additional payloads on command
• Backdoor: Provides persistent remote access
• Bootkit: Survives reboots through boot disk modification
• Proxy/Tunneler: Routes attacker traffic through compromised devices

This multi-function design means RESURGE serves as a platform for long-term operations rather than a single-purpose tool. Attackers can introduce new capabilities without re-compromising devices.

Exploitation Context

RESURGE was deployed through CVE-2025-0282, a critical Ivanti Connect Secure vulnerability that saw widespread exploitation in early 2025. The initial wave targeted VPN appliances across government, healthcare, and critical infrastructure sectors.

Ivanti edge devices have faced sustained attacker attention over the past year. The Ivanti EPMM exploitation campaign we covered in February showed similar persistence-focused implants deployed through mobile device management vulnerabilities. Attackers frequently leverage bulletproof hosting infrastructure to maintain command-and-control connectivity for implants like RESURGE. Edge appliances remain attractive targets because they sit at network boundaries with access to internal resources.

Detection Challenges

Standard integrity checks may miss RESURGE infections. The malware manipulates Ivanti's internal integrity verification systems, meaning built-in tools report clean status on compromised devices. CISA recommends:

1. Full forensic analysis of devices that may have been exposed during the CVE-2025-0282 exploitation window
2. Network traffic analysis looking for certificate anomalies or unexpected external connections
3. Memory forensics to detect runtime presence that evades disk-based scanning
4. Comparison against known-good baselines for boot disk contents

Organizations that relied solely on patching without investigation should reassess their exposure. The dormancy feature means infections could persist for months without generating detectable activity.

Why This Matters

RESURGE represents the evolution of implant design toward detection evasion over raw capability. Traditional malware analysis focuses on active behaviors—network beacons, file modifications, process injection. Dormant implants challenge these assumptions.

The campaign aligns with broader trends in state-sponsored operations. Attackers increasingly value persistence and patience over rapid exploitation. A dormant implant in a VPN appliance provides options—data exfiltration, lateral movement, or simply maintaining access for future operations—without the detection risk of continuous activity.

For organizations running Ivanti Connect Secure appliances that were potentially exposed during the 2025 exploitation wave, CISA's update serves as a reminder that patching alone doesn't guarantee remediation. The recommendation to review guidance on Ivanti vulnerabilities and conduct thorough forensic investigation remains critical, even months after the initial patches deployed.

Ivanti users should also review CISA's full malware analysis report for indicators of compromise and detection signatures that may identify dormant RESURGE infections.