The Cybersecurity and Infrastructure Security Agency warned that Ivanti Connect Secure instances that remain vulnerable to the patched stack-based buffer overflow bug, tracked as CVE-2025-0282, were subjected to attacks spreading the nascent RESURGE malware, according to The Hacker News.Based on the SPAWNCHIMERA payload, RESURGE has been enhanced with self-insertion, integrity check manipulation, and file modification features, as well as the capability to establish web shells facilitating account creation, credential theft, password resets, and privilege escalation, said CISA.Further analysis of a compromised ICS device belonging to a critical infrastructure organization revealed that RESURGE contains not only a SPAWNSLOTH malware variant that enabled Ivanti device log tampering but also a custom 64-bit Linux ELF binary with an open-source shell script allowing uncompressed kernel image extraction from a compressed image.These findings come after Microsoft reported that Chinese state-backed threat group Silk Typhoon leveraged CVE-2025-0282 in attacks earlier this month.
