RESURGE Malware: How Dormancy, Stealth, and Persistence Threaten Ivanti Connect Secure Devices
A single, silent implant can turn a trusted network device into a ticking time bomb. The RESURGE malware, recently spotlighted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), exemplifies this threat with its ability to lurk undetected on Ivanti Connect Secure devices. Unlike typical malware that pings its operators or leaves digital breadcrumbs, RESURGE is engineered for invisibility—lying dormant until it receives a precisely crafted inbound connection. This approach allows it to sidestep traditional detection methods, making it a nightmare for defenders and a dream for attackers.
What sets RESURGE apart isn’t just its patience. It leverages advanced stealth tactics, such as mimicking legitimate TLS and SSH traffic, and employs cryptographic authentication to ensure only its operators can wake it. Even more alarming, it can survive reboots and operating system reinstalls by embedding itself at the firmware level. For organizations relying on Ivanti devices, this means a compromise could persist for months—if not longer—without a trace. The recent CISA warning underscores the urgency for administrators to understand and counteract these sophisticated threats.
How RESURGE Malware Stays Hidden: Dormancy, Stealth, and Boot-Level Persistence Explained
Dormancy and Latency: The Passive Threat
The RESURGE malware distinguishes itself from typical active implants by employing a passive command-and-control (C2) approach. Unlike conventional malware that regularly beacons out to its operators, RESURGE remains entirely dormant until it receives a very specific inbound connection. This design allows it to evade detection by traditional network monitoring tools that look for anomalous outbound traffic or regular C2 communications. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), RESURGE can remain latent on Ivanti Connect Secure devices for extended periods, only activating when a remote actor initiates a connection that matches a unique fingerprint.
This latency is achieved through the malware’s integration with the device’s web process, where it hooks into the accept() function. This allows RESURGE to inspect all incoming TLS packets before they reach the legitimate web server. The implant specifically looks for a connection attempt that matches a CRC32 TLS fingerprint hashing scheme, which is essentially a unique identifier known only to the attacker. If the fingerprint matches, RESURGE decrypts and processes the payload; otherwise, it remains inactive and invisible to system administrators and security tools.
Table 1: Comparison of Dormancy Techniques
| Malware Name | Dormancy Mechanism | Activation Trigger | Detection Challenge |
|---|---|---|---|
| RESURGE | Passive C2, hooks accept() | Specific inbound TLS fingerprint | No regular beaconing, stealthy |
| Typical RATs | Periodic C2 beaconing | Operator command or schedule | Outbound traffic can be flagged |
| Webshells | Waits for HTTP requests | Specific URL or parameter | Can be detected via web logs |
This passive approach means that even if the device is monitored, unless the attacker attempts to connect, the malware may never reveal itself, making incident response and forensics significantly more difficult.
Advanced Stealth: Network and Authentication Evasion
RESURGE’s stealth is further enhanced by its ability to mimic legitimate network traffic and employ sophisticated authentication mechanisms. Static analysis by CISA revealed that the implant requests the attacker’s Elliptic Curve (EC) key for encryption and verifies it using a hard-coded EC Certificate Authority (CA) key. This ensures that only connections from the attacker, possessing the correct cryptographic credentials, can activate the implant.
Moreover, RESURGE camouflages its malicious communications by emulating legitimate TLS and SSH traffic. This makes it extremely difficult for intrusion detection systems (IDS) and security analysts to distinguish between benign and malicious sessions. The implant does not initiate any outbound connections, further reducing its network footprint and making it less likely to be flagged by anomaly-based detection systems.
Table 2: Stealth Features of RESURGE
| Feature | Description | Security Impact |
|---|---|---|
| TLS/SSH Traffic Mimicry | Malicious traffic indistinguishable from legitimate encrypted sessions | Evades network-based detection |
| EC Key Authentication | Only attacker with correct EC key can activate implant | Prevents accidental discovery |
| No Outbound Connections | No regular C2 beaconing or callbacks | Reduces risk of detection |
Boot-Level Persistence: Manipulating Firmware and Filesystems
One of the most concerning aspects of RESURGE is its ability to achieve boot-level persistence. According to CISA’s analysis, the malware can decrypt, modify, and re-encrypt coreboot firmware images, as well as manipulate filesystem contents. This means that even if an administrator attempts to clean the system by rebooting or reinstalling the operating system, the malicious implant can survive and re-infect the device upon startup.
The malware achieves this through components such as dsmain, a kernel extraction script that embeds open-source utilities like extract_vmlinux.sh and BusyBox. These tools allow RESURGE to interact with low-level system components, modify bootloader configurations, and ensure that its payload is executed early in the boot process. This level of persistence is typically associated with advanced persistent threats (APTs) and is rarely seen in commodity malware.
Table 3: Boot-Level Persistence Techniques
| Technique | Implementation in RESURGE | Effect on System |
|---|---|---|
| Firmware Modification | Decrypts, alters, and re-encrypts coreboot | Malware survives OS reinstallation |
| Filesystem Manipulation | Alters critical boot files and configs | Ensures early execution |
| Kernel Extraction Scripts | Uses BusyBox and extract_vmlinux.sh | Enables low-level system access |
Log and Evidence Tampering: Concealing Malicious Activity
RESURGE incorporates a variant of the SpawnSloth malware, named liblogblock.so, whose primary function is log tampering. By intercepting and modifying system logs, this component ensures that traces of the malware’s activity are erased or obfuscated. This not only hinders incident response efforts but also makes it challenging for forensic analysts to reconstruct the timeline of compromise.
The log tampering is performed in real time, with the implant actively monitoring and altering log entries that could reveal its presence. This includes deleting records of suspicious connections, privilege escalations, or file modifications. As a result, even if administrators suspect a compromise, the lack of concrete evidence in system logs can delay or prevent effective remediation.
Table 4: Log Tampering Capabilities
| Component | Functionality | Impact on Detection |
|---|---|---|
| liblogblock.so | Real-time log modification | Obscures evidence of compromise |
| SpawnSloth Variant | Hides traces of malware actions | Frustrates forensic investigations |
Rootkit and Backdoor Functionality: Deep System Integration
Beyond its stealth and persistence mechanisms, RESURGE also operates as a rootkit and backdoor, providing attackers with deep system-level access. The implant is a 32-bit Linux Shared Object file (libdsupgrade.so) that, once loaded, hooks into core system processes. This allows it to intercept system calls, hide files and processes, and manipulate system behavior without detection.
The backdoor functionality includes the ability to create webshells for credential theft, establish new user accounts, reset passwords, and escalate privileges. These capabilities enable attackers to maintain control over compromised devices, even if some aspects of the malware are discovered and removed. The combination of rootkit techniques and backdoor access makes RESURGE a formidable threat that is difficult to eradicate without a complete hardware re-flash and thorough forensic review.
Table 5: Rootkit and Backdoor Features
| Feature | Description | Security Implication |
|---|---|---|
| System Call Hooking | Intercepts and manipulates OS-level operations | Hides malware presence |
| Webshell Creation | Deploys webshells for remote access | Enables credential theft |
| Privilege Escalation | Gains root/admin access | Allows full device control |
| Account Manipulation | Creates/resets user accounts | Maintains persistence post-cleanup |
In summary, RESURGE’s ability to remain dormant, evade detection through advanced network and authentication techniques, persist at the firmware level, tamper with logs, and provide rootkit/backdoor access makes it one of the most sophisticated threats targeting Ivanti Connect Secure devices to date. System administrators are urged to utilize the latest indicators of compromise (IoCs) and follow CISA’s guidance to detect and remediate infections.
Final Thoughts
RESURGE is a masterclass in modern malware engineering, combining dormancy, stealth, and persistence to evade even the most vigilant defenders. Its ability to blend in with normal network traffic, survive system resets, and erase its own tracks makes it a formidable adversary for any organization. The CISA alert is a stark reminder that attackers are constantly innovating, and defenders must do the same—leveraging up-to-date indicators of compromise, firmware integrity checks, and layered security strategies to stay ahead.
As the cybersecurity landscape evolves, threats like RESURGE highlight the importance of proactive monitoring and rapid response. Whether you’re a seasoned security professional or a business leader, understanding these risks is crucial to protecting your organization from the next silent breach.
References
- BleepingComputer. (2026). CISA warns that RESURGE malware can be dormant on Ivanti devices. https://www.bleepingcomputer.com/news/security/cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices/
