CISA Report Updates Findings on RESURGE Malware Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) released an updated analysis of the RESURGE malware family on February 26, expanding on the findings published last year. RESURGE is a sophisticated threat that infiltrates Ivanti Connect Secure (formerly Pulse Secure) VPN appliances, establishing a covert foothold that can persist for months without triggering conventional security alerts. By remaining silent until a remote operator initiates a command, the malware sidesteps routine scans and endpoint monitoring, making it especially dangerous for critical infrastructure and enterprise networks that rely on these devices for remote access.

The new report delivers deeper technical insight, detailing the malware’s persistence mechanisms, encrypted command‑and‑control channels, and the specific registry and configuration changes it employs to hide its presence. CISA also provides enhanced detection resources, including updated YARA rules, Snort signatures, and forensic artefact guides that enable security teams to spot the dormant payload before activation. These tools address previous blind spots where traditional antivirus products missed the low‑profile behavior, allowing defenders to identify the malware’s dormant state through anomalous network traffic and file‑system footprints.

For organizations operating Ivanti Connect Secure devices, the findings underscore an urgent need to implement the mitigations outlined in CISA’s June 2025 fact sheet and to conduct thorough inventory checks for unpatched appliances. Integrating the new detection signatures into security information and event management (SIEM) platforms can reduce dwell time and prevent the stealthy activation phase. More broadly, the RESURGE update highlights the evolving tactics of state‑aligned threat actors and reinforces the importance of continuous threat‑intelligence sharing between federal agencies and the private sector.