RESURGE malware analysis update adds stealth, TLS, and C2 findings on Ivanti Connect Secure
Technical Analysis
Summary
Hide ▲
Show ▼
New technical findings on RESURGE sharpen detection of a stealthy implant that can hide on Ivanti Connect Secure devices and enable covert SSH-based command-and-control. The update matters because the malware can remain dormant, evade routine monitoring, and use forged TLS certificates and other network-level tricks to communicate. Defenders are being directed to use IOCs, detection signatures, and CVE-2025-0282 mitigations to identify or contain affected systems.
Related Happenings
Ivanti EPMM patch release for CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821
Security Patch Release
First: 07.05.2026 18:20
Last: 07.05.2026 18:20
Sources 1
About this happening:
Ivanti released a security update for on-prem Endpoint Manager Mobile (EPMM) covering CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821. The patch addresses high-seve...
Ivanti EPMM patch release for CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821
Security Patch ReleaseAbout this happening: Ivanti released a security update for on-prem Endpoint Manager Mobile (EPMM) covering CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821. The patch addresses high-seve...
Latest development: 07.05.2026 20:55
Ivanti released fixes for CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821 in Endpoint Manager Mobile (EPMM). The updates apply only to on-prem EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1, and Ivanti said the issues are not present in Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or other Ivanti products.
BPFDoor Linux backdoor with HTTPS-hidden trigger packets
Malware Activity
First: 26.03.2026 19:40
Last: 26.03.2026 19:40
Sources 1
About this happening:
A newly disclosed **BPFDoor** variant is hiding trigger packets inside **HTTPS traffic** and using **ICMP** between infected hosts, making the **Linux** backdoor harder to detect...
BPFDoor Linux backdoor with HTTPS-hidden trigger packets
Malware ActivityAbout this happening: A newly disclosed **BPFDoor** variant is hiding trigger packets inside **HTTPS traffic** and using **ICMP** between infected hosts, making the **Linux** backdoor harder to detect...
Ivanti Connect Secure zero-day exploitation (CVE-2025-0282)
Vulnerability
First: 27.02.2026 17:57
Last: 27.02.2026 17:57
Sources 1
How related:
According to researchers at incident response company Mandiant, the critical CVE-2025-0282 vulnerability was exploited as a zero-day since mid-December 2024 by a threat actor linked to China, tracked internally as UNC5221.
About this happening:
**CVE-2025-0282** in **Ivanti Connect Secure** was exploited as a **zero-day** starting in **mid-December 2024**, creating a breach path for affected appliances. The exploitation...
Ivanti Connect Secure zero-day exploitation (CVE-2025-0282)
VulnerabilityHow related: According to researchers at incident response company Mandiant, the critical CVE-2025-0282 vulnerability was exploited as a zero-day since mid-December 2024 by a threat actor linked to China, tracked internally as UNC5221.
About this happening: **CVE-2025-0282** in **Ivanti Connect Secure** was exploited as a **zero-day** starting in **mid-December 2024**, creating a breach path for affected appliances. The exploitation...
CISA updates KEV entry for CVE-2026-1731
Public Sector Action
First: 20.02.2026 17:45
Last: 20.02.2026 17:45
Sources 1
About this happening:
**CISA** updated its **KEV catalog** entry for **CVE-2026-1731**, confirming the flaw has been used in **ransomware campaigns** and elevating its government-tracked risk. The upda...
CISA updates KEV entry for CVE-2026-1731
Public Sector ActionAbout this happening: **CISA** updated its **KEV catalog** entry for **CVE-2026-1731**, confirming the flaw has been used in **ransomware campaigns** and elevating its government-tracked risk. The upda...
ArcaneDoor / UAT4356 Cisco ASA zero-day campaign targeting government agencies
Campaign
First: 26.09.2025 08:51
Last: 26.09.2025 08:51
Sources 1
About this happening:
The **ArcaneDoor** operation linked to **UAT4356 (aka Storm-1849)** targeted **Cisco ASA 5500-X Series** devices at **multiple government agencies**, creating a path for malware i...
ArcaneDoor / UAT4356 Cisco ASA zero-day campaign targeting government agencies
CampaignAbout this happening: The **ArcaneDoor** operation linked to **UAT4356 (aka Storm-1849)** targeted **Cisco ASA 5500-X Series** devices at **multiple government agencies**, creating a path for malware i...
Timeline
-
26.02.2026 02:00 2 articles · 3mo ago
Updated RESURGE Malware Analysis and Defender Guidance
Technical Analysis UpdateCISA released an updated Malware Analysis Report on RESURGE that adds network-level evasion and authentication techniques, advanced cryptographic methods, and forged TLS certificates, while warning that the implant may remain dormant and undetected on Ivanti Connect Secure devices and directing defenders to use IOCs, detection signatures, and mitigation guidance for CVE-2025-0282.
Show sources
- CISA Issues Updated RESURGE Malware Analysis Highlighting a Stealthy but Active Threat — www.cisa.gov — 26.02.2026 14:00
- CISA warns that RESURGE malware can be dormant on Ivanti devices — www.bleepingcomputer.com — 27.02.2026 17:57
-
28.03.2025 02:00 1 articles · 14mo ago
Original RESURGE Malware Analysis Report
Initial DisclosureCISA released the original Malware Analysis Report on RESURGE, describing a malware implant that could modify files, manipulate integrity checks, and deploy a web shell to the Ivanti boot disk.
Show sources
- CISA Issues Updated RESURGE Malware Analysis Highlighting a Stealthy but Active Threat — www.cisa.gov — 26.02.2026 14:00