I hadn’t even finished my second coffee after writing about China’s UNC5221 carpet-bombing organisations globally, and CISA decides to drop an updated malware analysis report that should make every network defender in the room deeply, personally uncomfortable. RESURGE is still out there. On Ivanti Connect Secure devices. Possibly yours. Dormant. Undetected. Sipping a metaphorical coffee and watching your traffic.
That is not me being dramatic. That is CISA’s language: “RESURGE may be dormant and undetected on Ivanti Connect Secure devices and remains an active threat.” And: “RESURGE can remain latent on systems until a remote actor attempts to connect to the compromised device.” So if you patched the vulnerability and moved on — congratulations, you closed the front door. The tenant already inside didn’t leave.
What RESURGE Actually Is
RESURGE is a stealthy implant that exploits CVE-2025-0282, a critical vulnerability in Ivanti Connect Secure VPN appliances. CISA first documented it in March 2025. The original analysis was bad enough — RESURGE survives reboots, deploys web shells to steal credentials, creates new accounts, resets passwords, and escalates privileges. Standard nation-state post-exploitation kit, right? Patch it, do a factory reset, move on.
Except CISA just dropped an updated analysis on February 26, 2026, and per Bleeping Computer’s coverage, the picture is significantly worse than the March 2025 writeup. The updated report details “sophisticated network-level evasion and authentication techniques” that RESURGE uses to maintain covert command-and-control. Specifically: the malware leverages advanced cryptographic methods and forged TLS certificates. It uses Mutual TLS with Elliptic Curve encryption. RESURGE requests the remote actor’s EC key and verifies it against a hard-coded EC Certificate Authority key — meaning the C2 traffic looks like legitimate encrypted communication to anything doing standard TLS inspection.
And then there’s the module that really made my eye twitch: COREDIVE. This component can decrypt, modify, and re-encrypt coreboot firmware images and manipulate filesystem contents for boot-level persistence. Boot-level persistence. Let me say that again slowly. The malware can burrow into your device’s boot process, surviving factory resets if they’re not performed correctly per CISA’s specific guidance. This is not garden-variety malware. This is purpose-built, nation-state implant engineering designed to be found never and persist forever.
There is one silver lining buried in the CISA report: because RESURGE sends its forged TLS certificate unencrypted over the internet during the initial C2 handshake, that certificate transmission is detectable as a network signature. It’s one actionable IOC in an otherwise invisible sea of nastiness. Don’t miss it.
Who’s Behind This
Mandiant attributed the initial zero-day exploitation of CVE-2025-0282 — beginning in mid-December 2024, before Ivanti even knew the hole existed — to UNC5221, a China-linked threat group. The same UNC5221 I covered when Google disrupted Chinese state hackers systematically hitting 53 organisations globally. These are not amateurs experimenting with off-the-shelf tooling. They exploited CVE-2025-0282 as a zero-day, planted RESURGE, and then engineered the implant to be so stealthy it can sit on your device doing nothing until the operator decides to turn the key.
This is long-term espionage infrastructure. UNC5221’s targeting historically aligns with government, defence, telecom, and critical infrastructure. If RESURGE landed on your Ivanti appliances, the question is not just “have we patched the vulnerability?” The question is “have we actually found and evicted the implant?” Those are two entirely different questions, and patching CVE-2025-0282 does not automatically remove the tenant already living in your boot disk.
Why Everyone Keeps Fumbling This
Here’s what drives me absolutely mental about the Ivanti situation: this is not the first time. Ivanti vulnerabilities have been chained, exploited at scale, and used to drop persistent implants on enterprise VPN appliances for years. Every time, the vendor response is a patch — eventually — and the security guidance is “patch it and do a factory reset.” And every time, some percentage of organisations either don’t patch fast enough, don’t do the factory reset correctly, or assume that because they ran the Ivanti integrity checker, they’re clean.
RESURGE was specifically engineered to bypass that integrity checker. The people who built this implant knew exactly what the standard remediation playbook looked like and designed around it. And yet the response across the industry has largely been “we patched, we reset, we’re good.” They’re not good.
As I covered when writing about CISA’s KEV list and the FileZen vulnerability, the distance between a vulnerability disclosure and active exploitation has shrunk to effectively zero for high-value targets. The moment CVE-2025-0282 was exploitable, UNC5221 was using it — months before the patch existed. You were behind before you knew the race had started.
The cognitive dissonance here is also a problem. Ivanti Connect Secure is a security device. It’s supposed to be the thing protecting everything else. The idea that it’s the thing that’s compromised — from the inside, invisibly, at firmware level — is uncomfortable for security teams whose entire mental model treats these appliances as gatekeepers rather than attack surfaces. That discomfort is exactly what this implant relies on.
The Evasion Tech Deserves More Attention Than It’s Getting
The mutual TLS with EC encryption means standard TLS inspection tools struggle to identify the C2 traffic. The hard-coded CA key means it looks like legitimately encrypted communication from a trusted process. The firmware-level persistence via coreboot image manipulation means endpoint detection agents running in the OS layer may never see it at all. And the dormancy capability means there’s no active C2 beacon to detect — nothing happens until the operator chooses to activate it.
This is the kind of implant that gets missed for months. Years, possibly. And given that CISA is issuing an updated analysis report more than a year after the initial exploitation, there are almost certainly organisations right now with RESURGE sitting in their Ivanti boot disk, completely unaware, in environments that were supposedly “remediated.”
This is exactly the Chinese long-game approach to espionage infrastructure that I noted when covering how Chinese state hackers hijacked Notepad++ update traffic for six solid months without anyone noticing. Patient, quiet, purpose-built persistence. RESURGE fits that pattern perfectly.
Here’s Your Checklist, Use It
CISA published updated IOCs and detection guidance with the February 26 report. Pull them. Apply them. Here’s what you do:
One — pull the updated CISA malware analysis report (MAR-25993211-r1.v2) and apply the network-level IOCs, specifically hunting for the unencrypted forged TLS certificate transmission during initial C2 contact. That is your best real-time detection signal.
Two — any Ivanti Connect Secure device that ran vulnerable firmware before the patch was applied must be treated as potentially compromised. Not “probably fine.” Potentially compromised. The difference matters.
Three — if you’re factory-resetting Ivanti appliances, do it correctly using CISA’s specific guidance. Do not just click “restore factory defaults” and call it done. Boot-level persistence requires boot-level remediation.
Four — if you have historical network captures from Ivanti devices going back to late 2024, look retroactively for the unencrypted forged certificate traffic during what should be TLS handshakes. That’s your best forensic retrospective signal.
Five — seriously reconsider whether additional network segmentation around your Ivanti appliances would reduce blast radius. The architecture assumption that the VPN appliance is trusted is no longer defensible in environments where UNC5221 has been operating.
The broader lesson I keep repeating until I’m hoarse: your security perimeter devices are software running on hardware, and software has vulnerabilities. Attackers know this better than most security teams. They specifically target VPN appliances and firewalls because compromising them gives persistent, hard-to-detect access that bypasses most internal controls. As long as we treat “we have Ivanti at the edge” as the endpoint of a security architecture conversation rather than the beginning of one, this keeps happening.
