Updated RESURGE Malware Analysis Highlighting Stealthy Active Threat
Summary
CISA released an updated Malware Analysis Report (MAR) on RESURGE malware targeting Ivanti Connect Secure devices. The updated analysis reveals that RESURGE can remain dormant and undetected on compromised systems until a remote actor connects, using advanced network-level evasion techniques and forged TLS certificates for covert command-and-control. CISA urges network defenders to use the provided indicators of compromise and detection signatures to identify the malware and implement the referenced mitigation instructions.
“Our updated analysis shows that RESURGE can remain dormant and undetected on Ivanti Connect Secure devices, meaning the threat is very much active.”
What changed
CISA updated its Malware Analysis Report on RESURGE, a sophisticated malware implant targeting Ivanti Connect Secure devices. The update reveals new capabilities including network-level evasion, advanced authentication techniques, and forged TLS certificates for covert communications. The malware can remain dormant on compromised devices, evading routine scans and monitoring.
Organizations using Ivanti Connect Secure devices should review the indicators of compromise and detection signatures provided in the MAR. CISA recommends implementing the mitigation actions for CVE-2025-0282 to address the vulnerabilities exploited by RESURGE.
Archived snapshot
Apr 20, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Press Release
CISA Issues Updated RESURGE Malware Analysis Highlighting a Stealthy but Active Threat
New Findings Reveal Malware’s Ability to Remain Dormant and Undetected on Ivanti Connect Secure Devices Released
February 26, 2026
Related topics: Cyber Threats and Response WASHINGTON – The Cybersecurity and Infrastructure Security Agency today released an updated Malware Analysis Report (MAR) revealing new findings on RESURGE, a highly sophisticated malware implant that exploits vulnerabilities to gain covert Secure Shell (SSH)–based command‑and‑control access. The updated analysis provides network defenders with deeper technical insights and improved detection resources, while issuing a clear warning: RESURGE is engineered to persist silently on compromised systems, remaining dormant until a remote actor connects. This stealth capability enables the malware to evade routine scans and monitoring—meaning RESURGE may still be present and undetected on Ivanti Connect Secure devices, posing an active and ongoing threat to affected networks.
“As America’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency remains fully committed to safeguarding the nation’s critical infrastructure, even during the ongoing multi‑week shutdown of the Department of Homeland Security,” said CISA Acting Director Dr. Madhu Gottumukkala. “The vulnerabilities detailed in this updated Malware Analysis Report pose real risks to people, property, and essential systems. Given the ease with which these vulnerabilities can be exploited through sophisticated network-level evasion, we determined it was imperative to provide network defenders with enhanced insights to respond faster to the RESURGE malware.”
The original MAR released on March 28, 2025, highlighted RESURGE’s ability to modify files, manipulate integrity checks and deploy a web shell to the Ivanti boot disk. CISA’s updated analysis shows that RESURGE has sophisticated network-level evasion and authentication techniques, leveraging advanced cryptographic methods and forged Transport Layer Security (TLS) certificates to facilitate covert communications.
“By expanding on the technical details in the original Malware Analysis Report (MAR) on RESURGE, we are equipping network defenders with a deeper, more complete understanding of this malware—along with the tools they need to identify, mitigate, and respond effectively,” said Nick Andersen, CISA Executive Assistant Director for Cybersecurity. “Our updated analysis shows that RESURGE can remain dormant and undetected on Ivanti Connect Secure devices, meaning the threat is very much active.”
CISA encourages organizations to use the indicators of compromise (IOCs) and detection signatures to identify RESURGE and implement the actions in CISA Mitigation Instruction for CVE-2025-0282 in addition to the update released today.
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X , Facebook , LinkedIn , Instagram .
Related Articles
Feb 11, 2026
Press Release
CISA’s 2025 Year in Review: Driving Security and Resilience Across Critical Infrastructure
Dec 09, 2025
Press Release
CISA, FBI, and U.S. and Global Partners Urge Immediate Action to Defend Critical Infrastructure from Pro-Russia Hacktivist Threats
Nov 12, 2025
Press Release
CISA Identifies Ongoing Cyber Threats to Cisco ASA and Firepower Devices
Oct 30, 2025
Press Release
CISA, NSA and Global Partners Unveil Security Blueprint for Hardening Microsoft Exchange Servers
Parties
Related changes
Get daily alerts for US CISA News
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CISA.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when US CISA News publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.