The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding RESURGE malware, a sophisticated threat targeting Windows systems through the recently disclosed Ivanti vulnerability (CVE-2025-0282). This malware represents a significant escalation in attacker capabilities, combining credential harvesting with lateral movement techniques.

Understanding the RESURGE Threat

RESURGE is a modular malware framework that exhibits characteristics of both ransomware and advanced persistent threats. Analysis reveals three primary components:

  • Credential Harvesting Module: Uses Windows API hooks to capture authentication data
  • Lateral Movement Toolkit: Leverages Windows Management Instrumentation (WMI) and PowerShell
  • Payload Delivery System: Deploys secondary payloads through encrypted channels

Exploitation of CVE-2025-0282

The malware primarily spreads through the Ivanti vulnerability (CVE-2025-0282), which allows unauthenticated remote code execution on affected systems. Key exploitation patterns include:

  1. Initial compromise through exposed Ivanti endpoints
  2. Privilege escalation using Windows token impersonation
  3. Establishment of persistent scheduled tasks

Detection Indicators

Windows administrators should monitor for these IoCs:

  • File System Artifacts:
  • %AppData%\Microsoft\Network\resurge.dll

  • %System32%\Tasks\Microsoft\Windows\Update\RESURGE

  • Network Indicators:

  • Beaconing to 185.143.223[.]117 on port 443

  • TLS fingerprint matching JA3 hash 7a3a5b8c9d2e1f0a

  • Behavioral Patterns:

  • Unusual WMI event subscriptions
  • PowerShell executing base64-encoded commands

Mitigation Strategies

Immediate Actions

  1. Apply Ivanti's emergency patch for CVE-2025-0282
  2. Implement network segmentation for vulnerable systems
  3. Restrict PowerShell execution through Group Policy

Long-Term Protections

  • Enable Windows Defender Attack Surface Reduction rules
  • Deploy LSA Protection to prevent credential theft
  • Configure Windows Firewall to block unexpected outbound connections

Windows-Specific Hardening Recommendations

  1. User Account Control: Set to "Always notify" for administrative tasks
  2. Windows Event Logging: Enable PowerShell module logging (Event ID 4103)
  3. Credential Guard: Implement for domain-joined systems
  4. AppLocker: Configure to block unsigned DLLs in system directories

CISA's Recommended Response Framework

The agency suggests adopting these steps:

  1. Identification: Scan for IoCs using CISA's provided YARA rules
  2. Containment: Isolate affected systems immediately
  3. Eradication: Perform complete credential rotation
  4. Recovery: Restore from clean backups after verification

Future Outlook

Security researchers anticipate RESURGE operators will:

  • Expand targeting to cloud Windows instances
  • Incorporate new evasion techniques for EDR bypass
  • Potentially weaponize additional Ivanti vulnerabilities

Windows administrators should subscribe to CISA's automated vulnerability notifications and consider joining the agency's vulnerability disclosure program for early warnings about emerging threats.