How to Remove RESURGE Malware

A new and highly sophisticated malware strain known as RESURGE has been uncovered in targeted cyberattacks exploiting a now-patched vulnerability in Ivanti Connect Secure (ICS) devices. This malware is an evolution of the SPAWNCHIMERA variant, introducing powerful new functionalities that increase its stealth, persistence, and destructive capabilities.

Researchers revealed that RESURGE is part of a broader malware ecosystem linked to state-sponsored cyber-espionage groups, particularly UNC5337, and is considered an active threat to critical infrastructure and enterprise environments.

Threat Summary

Category	Details
Threat Name	RESURGE (libdsupgrade.so)
Threat Type	Rootkit, Dropper, Bootkit, Backdoor, Proxy, Credential Stealer
Associated Emails	N/A
Detection Names	UNC5337 malware, RESURGE, SPAWNCHIMERA variant
Symptoms of Infection	Unusual log file behavior, Web shell activity, privilege escalation, abnormal network tunneling
Damage	Long-term access, credential theft, system corruption, boot-level persistence
Distribution Method	Exploitation of CVE-2025-0282 via Ivanti vulnerabilities
Danger Level	Critical – Targeting critical infrastructure and leveraging zero-day exploits

---

A Versatile and Threatening Toolkit

RESURGE, discovered as libdsupgrade.so, is a multi-functional threat that goes beyond traditional malware capabilities. It combines the traits of several malicious tools:

• Rootkit: Hides its presence on infected systems.
• Dropper: Deploys additional payloads.
• Backdoor: Provides remote access.
• Bootkit: Ensures persistence at system startup.
• Proxy/Tunneler: Enables data exfiltration and command relay.

These features make RESURGE a modular and devastating malware package for long-term espionage.

---

Exploited Vulnerability: CVE-2025-0282

The initial infection vector is the exploitation of CVE-2025-0282, a stack-based buffer overflow vulnerability affecting Ivanti products. The flaw permits remote code execution and has been actively used by threat actors including UNC5337 and Silk Typhoon (formerly Hafnium).

Affected Products:

• Ivanti Connect Secure (before 22.7R2.5)
• Ivanti Policy Secure (before 22.7R1.2)
• Ivanti Neurons for ZTA Gateways (before 22.7R2.3)

---

The SPAWN Malware Ecosystem & Evolution

RESURGE stems from the SPAWN malware family, previously observed in espionage campaigns involving modular threats like:

• SPAWNANT
• SPAWNMOLE
• SPAWNSNAIL

SPAWNCHIMERA, an earlier advancement, consolidated these into a monolithic variant and introduced innovations such as:

• UNIX domain socket communication
• Self-patching of the exploited vulnerability to block rival access

RESURGE builds on SPAWNCHIMERA’s structure but includes three key enhancements.

---

RESURGE’s Advanced Capabilities

1. System Manipulation and Persistence:
   • Injects into ld.so.preload
   • Installs a persistent Web shell
   • Alters integrity checks and system files
2. Credential Exploitation:
   • Enables Web shell-based credential harvesting
   • Facilitates account creation, password resets, and escalation
3. Boot Persistence:
   • Copies malware to the boot disk
   • Modifies the coreboot image for stealthy re-infection after reboot

---

Additional Malware Components

• SPAWNSLOTH (liblogblock.so): A stealth variant found within RESURGE, designed to manipulate logs and erase evidence.
• DSMain: A separate binary containing shell scripts and BusyBox components, capable of extracting kernel-level data and enhancing system compromise.

---

Manual Removal of Backdoor Malware (For Advanced Users Only)

Step 1: Boot Into Safe Mode with Networking

1. Restart your computer and enter Safe Mode:
   • Windows 10/11:
     1. Press Windows + R, type msconfig, and press Enter.
     2. Navigate to the Boot tab, check Safe boot, and select Network.
     3. Click Apply and OK, then restart your PC.
   • Alternative Method:
     1. Hold Shift while clicking Restart from the Start menu.
     2. Select Troubleshoot > Advanced options > Startup Settings.
     3. Click Restart, then select Enable Safe Mode with Networking.

Step 2: End Malicious Processes Using Task Manager

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Look for suspicious or unfamiliar processes consuming high CPU or RAM.
3. Right-click on the process and select Open file location.
4. If the file is in an unusual directory (e.g., C:\Users\Public or C:\Windows\System32), it might be malware.
5. End the process by right-clicking and selecting End Task.
6. Delete the related file from its folder.

Step 3: Delete Backdoor Files from System Folders

1. Open File Explorer and navigate to:makefileCopyEditC:\Users\YourUsername\AppData\Local C:\Users\YourUsername\AppData\Roaming C:\ProgramData C:\Windows\Temp
2. Delete any suspicious folders or files with random names (e.g., xhterou.exe, srvhosts.dll, temp0987.bat).
3. Clear the Temp folder:
   • Press Windows + R, type %temp%, and press Enter.
   • Select all files (Ctrl + A) and delete them.

Step 4: Remove Malicious Registry Entries

⚠️ Warning: Modifying the registry incorrectly can damage your system. Proceed with caution.

1. Press Windows + R, type regedit, and press Enter.
2. Navigate to the following keys and look for suspicious values:mathematicaCopyEditHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
3. Delete unknown registry entries referencing suspicious .exe files.
4. Close Registry Editor and restart your PC.

Step 5: Remove Suspicious Startup Programs

1. Open Task Manager (Ctrl + Shift + Esc) and go to the Startup tab.
2. Look for unknown or suspicious programs and disable them.

Step 6: Reset Network Settings (Optional)

1. Open Command Prompt as Administrator:
   • Press Windows + S, type cmd, and select Run as administrator.
2. Run the following commands:perlCopyEditnetsh winsock reset netsh int ip reset ipconfig /flushdns
3. Restart your computer.

---

Automated Removal Using SpyHunter

If manually removing the backdoor malware is too complex or if you want a faster, more effective solution, use SpyHunter, a powerful anti-malware tool that specializes in detecting and removing backdoors and other threats.

Step 1: Download and Install SpyHunter

1. Visit the official SpyHunter download page: 👉 Download SpyHunter
2. Click Download and follow the on-screen installation instructions.

Step 2: Run a Full System Scan

1. Launch SpyHunter.
2. Click on Start Scan Now to initiate a full system scan.
3. Wait for the scan to complete. SpyHunter will detect and list all malware threats, including backdoor infections.

Step 3: Remove Detected Threats

1. Review the scan results.
2. Click Fix Threats to remove all detected malware.
3. Follow on-screen prompts to restart your computer if necessary.

Step 4: Enable SpyHunter’s Real-Time Protection

1. Open SpyHunter and go to Settings > Malware Protection.
2. Enable Real-Time Malware Protection to prevent future infections.

---

How to Prevent Future Backdoor Infections

• Use a reputable anti-malware tool like SpyHunter for real-time protection.
• Keep your software and operating system updated to patch vulnerabilities.
• Avoid downloading cracked software or opening suspicious email attachments.
• Enable firewall and network security settings to prevent unauthorized access.
• Use strong passwords and enable two-factor authentication (2FA) where possible.

---

Conclusion

RESURGE is not merely another malware strain—it marks a dangerous evolution in state-sponsored cyber-espionage tactics. With deep system integration, the ability to persist through reboots, and tools for both obfuscation and credential theft, RESURGE represents a critical threat to organizations using Ivanti appliances. The link to high-profile actors like UNC5337 and Silk Typhoon further emphasizes the geopolitical significance of this malware. As cyber attackers continue to innovate, understanding and tracking threats like RESURGE becomes imperative for cybersecurity defense strategies.