{"id":218184,"date":"2026-02-27T10:57:00","date_gmt":"2026-02-27T15:57:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/27\/cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices\/"},"modified":"2026-02-27T15:20:16","modified_gmt":"2026-02-27T20:20:16","slug":"cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/27\/cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices\/","title":{"rendered":"CISA warns that RESURGE malware can be dormant on Ivanti devices"},"content":{"rendered":"<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices\/\">CISA warns that RESURGE malware can be dormant on Ivanti devices<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-27 10:57:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.bleepingcomputer.com\">www.bleepingcomputer.com<\/a><\/p>\n<p style=\"text-align:center\">\n<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details about RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices.<\/p>\n<p>The update focuses on the implant&#8217;s undetected latency on the appliances and its &#8220;sophisticated network-level evasion and authentication techniques&#8221; that enable covert communication with the attacker.<\/p>\n<p>CISA originally documented the malware on March 28 last year, saying that it can survive reboots, create webshells for stealing credentials, create accounts, reset passwords, and escalate privileges.<\/p>\n<p> <img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/c\/w\/ai-security-board-report-template.jpg\" alt=\"Wiz\" style=\"margin-top: 0px;\"\/><\/p>\n<p>According to researchers at incident response company Mandiant, the critical CVE-2025-0282 vulnerability was exploited as a zero-day since mid-December 2024 by a threat actor linked to China, tracked internally as UNC5221.<\/p>\n<h3>Network-level evasion<\/h3>\n<p>CISA&#8217;s updated bulletin provides additional technical information on RESURGE, a malicious 32-bit Linux Shared Object file named libdsupgrade.so that was extracted from a compromised device.<\/p>\n<p>The implant is described as a passive command-and-control (C2) implant with rootkit, bootkit, backdoor, dropper, proxying, and tunneling capabilities.<\/p>\n<p>Instead of beaconing to the C2, it waits indefinitely for a particular inbound TLS connection, evading network monitoring, CISA says in the updated document.<\/p>\n<p>When loaded under the \u2018web\u2019 process, it hooks the \u2018accept()\u2019 function to inspect incoming TLS packets before they reach the web server, looking for specific connection attempts from a remote attacker that are identified using the CRC32 TLS fingerprint hashing scheme.<\/p>\n<p>If the fingerprint does not match, traffic is directed to the legitimate Ivanti server. CISA further details Rusrge&#8217;s authentication mechanism saying that the threat actor also uses a fake Ivanti certificate to ensure that they are interacting with the implant and not the Ivanti web server.<\/p>\n<p>The agency highlights that the&#8230;<\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA warns that RESURGE malware can be dormant on Ivanti devices https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices\/ Publish Date: 2026-02-27&#8230;<\/p>\n","protected":false},"author":1,"featured_media":218185,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2024\/09\/13\/Ivanti.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,30,24,32,34,27],"class_list":["post-218184","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-breach","tag-cybersecurity","tag-malware","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/218184"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=218184"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/218184\/revisions"}],"predecessor-version":[{"id":218186,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/218184\/revisions\/218186"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/218185"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=218184"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=218184"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=218184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}