The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its security advisory on Resurge, a sophisticated malicious implant used in zero-day attacks exploiting the critical vulnerability (CVE-2025-0282) to compromise Ivanti Connect Secure devices.
The report provides deeper technical insight into the implant’s capabilities and highlights what the agency describes as “sophisticated network-level evasion and authentication techniques” that allow attackers to communicate covertly with compromised systems. CISA identified the implant as a 32-bit Linux Shared Object file named 'libdsupgrade.so' extracted from a compromised appliance. The implant functions as a passive command-and-control (C&C) backdoor with rootkit, bootkit, dropper, proxying, and tunneling capabilities.
CISA first documented Resurge on March 28 last year, warning that the malware could survive reboots, deploy webshells to steal credentials, create new accounts, reset passwords, and escalate privileges. Researchers at Mandiant later found that CVE-2025-0282 had been exploited as a zero-day since mid-December 2024 by a China-linked threat actor tracked internally as UNC5221.
Unlike typical malware that periodically “beacons” to a remote server, Resurge waits indefinitely for a specially crafted inbound TLS connections. When loaded under the system’s ‘web’ process, the implant hooks the accept() function to inspect incoming TLS traffic before it reaches the legitimate web server. It uses a CRC32 TLS fingerprint hashing scheme to identify connection attempts originating from the attacker.
If the TLS fingerprint does not match the expected value, traffic is forwarded to the legitimate Ivanti service. The attacker also presents a forged Ivanti certificate to confirm interaction with the implant rather than the genuine web server. According to CISA, the fake certificate is used solely for authentication and verification (not encryption) and is transmitted unencrypted. Once fingerprint validation and authentication are complete, the attacker establishes secure remote access via a Mutual TLS session encrypted using elliptic curve cryptography. Resurge requests the attacker’s elliptic curve key for encryption and verifies it against a hard-coded certificate authority key embedded in the implant.
CISA has also analyzed two additional components linked to the implant. One, a variant of the SpawnSloth malware named ‘liblogblock.so,’ is used for log tampering to conceal malicious activity. The other, ‘dsmain,’ is a kernel extraction script incorporating the open-source extract_vmlinux.sh script and the BusyBox utility suite. This component enables the malware to decrypt, modify, and re-encrypt coreboot firmware images, facilitating boot-level persistence and filesystem manipulation.