Coordinated Reconnaissance and Exploitation Activity Targeting Edge VPN Appliances
CISA issued updated technical details on RESURGE, a stealthy implant used in zero-day intrusions of Ivanti Connect Secure appliances via CVE-2025-0282. The malware (a 32-bit Linux shared object, libdsupgrade.so) is designed for long-term persistence and covert access, with capabilities described as including rootkit/bootkit-style functionality, credential theft via webshells, account manipulation, privilege escalation, and tunneling/proxying. CISA highlighted that RESURGE can remain dormant and evade detection by acting as a passive C2: rather than beaconing out, it waits for specific inbound TLS connections and, when loaded under the web process, hooks accept() to inspect TLS packets and only activate on attacker-identified traffic (using a CRC32-based TLS fingerprinting approach); non-matching traffic is passed through to the legitimate service. Reporting cited Mandiant’s attribution of the early exploitation activity to a China-linked actor tracked as UNC5221, with zero-day exploitation reported since mid-December 2024.
Separately, GreyNoise reported a large-scale reconnaissance campaign against SonicWall SonicOS/SSL VPN infrastructure (84,142 scanning sessions over several days) focused primarily on enumerating whether SSL VPN is enabled by probing a single API endpoint—behavior consistent with pre-attack target mapping rather than immediate CVE exploitation. The activity came from thousands of IPs across multiple ASNs and included heavy use of commercial proxy infrastructure (rotating exits) in short, concentrated bursts, a pattern GreyNoise assessed as coordinated and operationally segmented. GreyNoise assessed this recon as a precursor to credential-based intrusion and ransomware operations frequently associated with edge VPN access (citing Akira and Fog as examples), and noted broad internet exposure and a meaningful population of devices running vulnerable or unsupported firmware—conditions that increase the likelihood that reconnaissance will translate into follow-on compromise attempts.
Timeline
Feb 27, 2026
GreyNoise discloses findings on SonicWall reconnaissance infrastructure
On February 27, 2026, GreyNoise published its analysis attributing the SonicWall reconnaissance to several distinct infrastructure clusters, including ByteZero-backed proxy rotation, a Netherlands-based scanner fleet, a mega-scanner IP, and a NetExtender credential-testing cluster. It warned the activity could precede exploitation and urged defenders to restrict exposure, enforce MFA, and patch SonicOS, especially for CVE-2024-53704.
Feb 27, 2026
CISA publishes updated technical analysis of RESURGE malware
On February 27, 2026, CISA released updated technical details on the RESURGE implant used in Ivanti Connect Secure compromises. The update highlighted its dormant operation, persistence across reboots, covert TLS-based communications, and related tooling including a SpawnSloth variant and a kernel extraction script supporting boot-level persistence.
Feb 22, 2026
Mass reconnaissance campaign targets SonicWall SSL VPN exposure
Between February 22 and 25, 2026, GreyNoise observed 84,142 scanning sessions from 4,305 IPs targeting SonicWall SonicOS devices. The activity primarily enumerated whether SSL VPN was enabled via a REST API endpoint, a likely precursor to credential attacks and ransomware initial access.
Dec 15, 2025
ByteZero proxy management platform reportedly goes offline
GreyNoise noted that the management platform for the commercial proxy service ByteZero reportedly went offline in December 2025. This reportedly reduced oversight of infrastructure later used in SonicWall reconnaissance activity.
Dec 15, 2024
UNC5221 begins zero-day exploitation of Ivanti CVE-2025-0282
Mandiant assessed that the China-linked threat actor UNC5221 started exploiting CVE-2025-0282 as a zero-day against Ivanti Connect Secure devices in mid-December 2024. The activity deployed the RESURGE malware implant to establish persistent access on compromised systems.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Malware
Organizations
Affected Products
Sources
Related Stories
CISA Warning on RESURGE Malware Exploiting Ivanti Connect Secure Zero-Day
**CISA** published updated technical details and warnings about **RESURGE**, a stealthy Linux implant used in zero-day intrusions against *Ivanti Connect Secure* appliances. The activity is tied to exploitation of **CVE-2025-0282** (a stack-based buffer overflow) affecting Ivanti Connect Secure as well as related *Policy Secure* and *ZTA Gateway* products; exploitation was observed beginning in **December 2024**, and CISA later added the CVE to its **Known Exploited Vulnerabilities (KEV)** catalog. CISA’s analysis was based on artifacts recovered from a compromised Ivanti device at a **critical infrastructure** organization, indicating the malware is being used in real-world intrusions rather than as a proof-of-concept. RESURGE is identified as a Linux shared object, `libdsupgrade.so`, designed for persistence and stealth, including **rootkit/bootkit-like** behavior and the ability to remain dormant by passively waiting for specific inbound **TLS** connections instead of beaconing. The implant reportedly hooks `accept()` to inspect inbound TLS traffic and uses a **CRC32-based TLS fingerprint** scheme to identify “legitimate” operator connections; reporting also notes use of a **fake Ivanti certificate** as an authentication artifact that can serve as a detection signature, followed by a mutually authenticated TLS session. The intrusion set also deployed a **SPAWNSLOTH** variant (`liblogblock.so`) for log tampering and a custom tool (`dsmain`) used to manipulate **coreboot** images/firmware and filesystem contents for persistence; reporting attributes the broader campaign to China-linked **UNC5221** and urges defenders to apply Ivanti fixes and hunt using CISA’s updated **IOCs** to identify and eradicate latent infections.
1 months ago
Internet-Scale Scanning and Exploitation Pressure on Edge Network Devices (Cisco SD-WAN, SonicWall SSL VPN)
Security monitoring and reporting highlighted escalating attacker focus on internet-exposed edge infrastructure, including **active exploitation** of a maximum-severity Cisco SD-WAN flaw and **large-scale reconnaissance** against SonicWall firewalls. Cisco disclosed **CVE-2026-20127** (CVSS 10.0) affecting *Cisco Catalyst SD-WAN Controller* (vSmart) and *Catalyst SD-WAN Manager* (vManage), describing in-the-wild exploitation dating back to 2023 that enables **unauthenticated authentication bypass** leading to **administrative privileges** via crafted requests; Cisco attributes discovery to **ASD-ACSC** and tracks related activity as **UAT-8616**. Separately, GreyNoise-tracked activity showed a coordinated scanning campaign against **SonicWall SonicOS** devices using **4,000+ unique IPs** to enumerate targets—primarily probing a SonicOS **REST API endpoint** used to determine whether **SSL VPN** is enabled (a common precursor to follow-on credential attacks and exploitation). The campaign generated **84,142 scanning sessions** over a four-day window and was assessed as a continuation/escalation of similar late-2025 scanning that targeted both Palo Alto and SonicWall VPN infrastructure, reinforcing the likelihood of an impending exploitation wave against exposed and unpatched perimeter devices.
1 months ago
Active Exploitation of Ivanti EPMM Flaws Used to Seed Dormant Backdoors and Validate RCE
Active exploitation is targeting **Ivanti Endpoint Manager Mobile (EPMM)** via two critical vulnerabilities—`CVE-2026-1281` (authentication bypass) and `CVE-2026-1340` (remote code execution)—with activity consistent with **initial access broker (IAB)** tradecraft rather than immediate ransomware-style monetization. Reporting indicates attackers are using exploitation to establish footholds and validate access at scale, then disengaging, suggesting the objective is to inventory and package working access for later activation or resale. Post-exploitation behavior described in research includes deployment of a **dormant, in-memory Java class loader** backdoor that is left inactive until a specific trigger is received, with an observed web-accessible artifact at `/mifs/403.jsp`. Separately, GreyNoise telemetry attributes **83% of observed Ivanti exploitation** to a single IP hosted on **bulletproof infrastructure** (PROSPERO OOO, `AS200593`) that is missing from widely circulated IOC lists, while several heavily shared “IOCs” appear to be unrelated (e.g., Windscribe VPN exit nodes primarily scanning **Oracle WebLogic** on port `7001`). GreyNoise also observed prevalent “blind” RCE verification using **OAST DNS callbacks** (rather than immediate payload deployment), reinforcing the assessment that operators are confirming exploitability and staging for follow-on access rather than executing overt actions immediately.
1 months ago