Skip to content
Chimera readability score 0.5055 out of 100, reading level.

WASHINGTON – The Cybersecurity and Infrastructure Security Agency today released an updated Malware Analysis Report (MAR) revealing new findings on RESURGE, a highly sophisticated malware implant that exploits vulnerabilities to gain covert Secure Shell (SSH)–based command‑and‑control access. The updated analysis provides network defenders with deeper technical insights and improved detection resources, while issuing a clear warning: RESURGE is engineered to persist silently on compromised systems, remaining dormant until a remote actor connects. This stealth capability enables the malware to evade routine scans and monitoring—meaning RESURGE may still be present and undetected on Ivanti Connect Secure devices, posing an active and ongoing threat to affected networks.

“As America’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency remains fully committed to safeguarding the nation’s critical infrastructure, even during the ongoing multi‑week shutdown of the Department of Homeland Security,” said CISA Acting Director Dr. Madhu Gottumukkala. “The vulnerabilities detailed in this updated Malware Analysis Report pose real risks to people, property, and essential systems. Given the ease with which these vulnerabilities can be exploited through sophisticated network-level evasion, we determined it was imperative to provide network defenders with enhanced insights to respond faster to the RESURGE malware.”

The original MAR released on March 28, 2025, highlighted RESURGE’s ability to modify files, manipulate integrity checks and deploy a web shell to the Ivanti boot disk. CISA’s updated analysis shows that RESURGE has sophisticated network-level evasion and authentication techniques, leveraging advanced cryptographic methods and forged Transport Layer Security (TLS) certificates to facilitate covert communications.

“By expanding on the technical details in the original Malware Analysis Report (MAR) on RESURGE, we are equipping network defenders with a deeper, more complete understanding of this malware—along with the tools they need to identify, mitigate, and respond effectively,” said Nick Andersen, CISA Executive Assistant Director for Cybersecurity. “Our updated analysis shows that RESURGE can remain dormant and undetected on Ivanti Connect Secure devices, meaning the threat is very much active.”

CISA encourages organizations to use the indicators of compromise (IOCs) and detection signatures to identify RESURGE and implement the actions in CISA Mitigation Instruction for CVE-2025-0282 in addition to the update released today.

###

About CISA

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.

Facts Only

Actor: Cybersecurity and Infrastructure Security Agency (CISA)
Event: Updated Malware Analysis Report on RESURGE malware
Target: Ivanti Connect Secure devices
Timeline: March 28, 2025 (original report), updated analysis
Location: Networks affected by RESURGE malware

Executive Summary

The Cybersecurity and Infrastructure Security Agency (CISA) has released an updated Malware Analysis Report on the highly sophisticated RESURGE malware, which exploits vulnerabilities to gain covert Secure Shell (SSH)–based command-and-control access. The malware can remain dormant and undetected on Ivanti Connect Secure devices, posing an active threat to affected networks. CISA encourages organizations to use the indicators of compromise (IOCs) and detection signatures provided in the updated report to identify RESURGE and implement appropriate mitigation measures.

Full Take

In analyzing the updated Malware Analysis Report on RESURGE, it is crucial to consider the potential motivations and implications of this highly sophisticated malware. The report reveals that RESURGE employs advanced cryptographic methods and forged Transport Layer Security (TLS) certificates to facilitate covert communications, making it difficult for network defenders to detect and counteract. This stealth capability allows the malware to evade routine scans and monitoring, potentially remaining undetected on Ivanti Connect Secure devices and posing an ongoing threat to affected networks.
While CISA's report does not explicitly discuss the motivations behind the creation and spread of RESURGE, it is essential for network defenders to be aware of its potential use by malicious actors seeking covert access to secure systems. To resist manipulation, it is crucial to approach this information with a critical eye, considering multiple valid perspectives and asking generative questions about the motivations, implications, and second-order consequences of such sophisticated threats.
Questions for further inquiry:
What are the potential motivations behind the creation and spread of RESURGE?
Who might benefit from this malware's continued presence on Ivanti Connect Secure devices?
How can network defenders best prepare to counteract threats like RESURGE in the future?

Sentinel — Human

Confidence

This article appears to be human-written, with evidence of a personal touch and varied sentence structure.

Signals Detected
low severity: Sentence length variance is not uniform, indicating human writing.
high severity: The text shows idiosyncratic emphasis and a personal voice, which are signs of human authorship.
low severity: There is no evidence of argumentative skeleton matching known template patterns or talking points appearing nearly verbatim across sources.
Human Indicators
The text exhibits a natural rhythm and tone that is not characteristic of synthetic content.