Latest Ivanti bug, paired with malware, earns an alert from CISA

Federal cybersecurity officials are warning about powerful malware used alongside the exploitation of a vulnerability in popular security tools earlier this year. 

The alleged Chinese hackers behind the December and January attacks on tools from tech company Ivanti deployed malware called Resurge, according to experts from Cybersecurity and Infrastructure Security Agency (CISA).

In a recent malware analysis report, CISA said Resurge resembles several other strains previously identified by Google and government officials in Japan.

But Resurge, CISA said, contains distinctive commands that can manipulate system integrity checks, modify files, harvest credentials, create accounts, reset passwords, escalate permissions and more. 

CISA said it analyzed three files “obtained from a critical infrastructure’s Ivanti Connect Secure device” after threat actors exploited a bug tracked as CVE-2025-0282. In addition to Resurge, the incident responders found a second variant that tampered with Ivanti device logs and a third that allows the hackers to perform other functions on the compromised devices.

CVE-2025-0282 affects Connect Secure as well as Ivanti’s Policy Secure and ZTA Gateway products. CISA confirmed the bug was being exploited on January 8 after Ivanti published an advisory about it.

The cybersecurity agency urged administrators last week to conduct factory resets of their Ivanti devices, reset credentials as well as passwords for all accounts and more. CISA added that any potential victims should reach out for assistance.

Mandiant’s view 

Google-owned cybersecurity firm Mandiant said China-based espionage threat actors were behind the exploitation of the bug. Mandiant and Japanese officials call the malware family Spawn.

Mandiant Consulting’s Matt Lin told Recorded Future News that CISA’s research expanded on the company’s own work examining malware samples obtained since December 2024 through consultations with Ivanti and “affected customers, government partners, and security vendors.” 

“The malware sample that CISA describes in the blog has parallels to previous Mandiant reporting of the SPAWN malware family,” Lin said.

“In short, the malware described in CISA’s report has nearly the same capabilities and features as the Spawn family described in Mandiant’s February 2024 reporting, just packaged and delivered differently.”

Lin noted that the suspected Chinese espionage group exploiting the bug was also seen previously using two other vulnerabilities in Ivanti Connect Secure VPN appliances as early as December 2023.

He added that the malware family allows the hackers to maintain their persistent access to an impacted system and provides a backdoor to an infected device. 

The Spawn malware family is also capable of persisting across system upgrades and patches on an infected appliance. It monitors for system upgrade events and inserts an additional backdoor.

Checker trouble 

One of the key concerns in January centered on Ivanti’s Integrity Checker Tool (ICT). Customers could see if they had been attacked through the ICT.

But Lin noted that the Spawn ecosystem “is careful to circumvent the integrity checker tool (ICT)” by creating a new digital signature to fraudulently sign the ICT manifest file.

Japanese officials said the vulnerability was used to target several organizations in the country since December. The group behind the exploitation has historically attacked a broad array of organizations spanning across government, defense, finance, and tech, according to Lin. 

Since 2020, CISA has warned organizations repeatedly of state-backed hackers linked to China exploiting vulnerabilities in Ivanti products.

In April 2021, CISA warned that hackers breached the systems of a number of U.S. government agencies, critical infrastructure entities and other private sector organizations. Mandiant attributed the activity to hackers operating on behalf of the Chinese government.

Last April, the Ivanti pledged a security overhaul after a cascade of headline-grabbing nation-state attacks broke through the systems of government agencies in the U.S. and Europe using vulnerabilities in the company’s products.