Cybersecurity researchers at Zscaler have uncovered a sophisticated malware campaign that exploits search engine optimization (SEO) poisoning to distribute a trojanized version of the Ivanti Pulse Secure VPN client, targeting unsuspecting users seeking legitimate software downloads.
The Zscaler Threat Hunting team recently detected a surge in malicious activity leveraging SEO manipulation, primarily targeting Bing search engine users.
Cybercriminals are deploying lookalike domains and fake download pages designed to steal VPN credentials, providing attackers with a gateway into corporate networks—a tactic historically linked to devastating ransomware attacks, including the notorious Akira ransomware.
The campaign begins innocuously when users search for terms like “Ivanti Pulse Secure Download” on search engines.
Threat actors have successfully poisoned search results, ensuring their malicious websites appear prominently. Users are directed to fraudulent domains such as ivanti-pulsesecure[.]com and ivanti-secure-access[.]org, registered in September 2025, which closely mimic legitimate Ivanti sites.
These fake websites feature convincing replicas of the official Ivanti Pulse Secure download page. When victims click the download button, a background HTTP request initiates the download of a trojanized MSI installer file.
Notably, this malicious file is digitally signed—a sophisticated technique designed to evade security detection and establish false credibility with users and security tools alike.
At the time of analysis, only 2 of 58 antivirus vendors on VirusTotal flagged the malicious installer, demonstrating the campaign’s effectiveness at bypassing traditional security measures.
Sophisticated Evasion Tactics
What distinguishes this campaign is its use of referrer-based conditional content delivery. The phishing websites dynamically adjust displayed content based on how they’re accessed.
When visited directly, these domains present benign content without download buttons, appearing harmless to security analysts. However, when accessed via Bing search results, the full phishing content materializes, complete with malicious download links.
This clever exploitation of the HTTP Referrer header allows attackers to evade detection by security vendors.
The malicious MSI installer, signed by Hefei Qiangwei Network Technology Co., Ltd., contains credential-stealing DLLs (dwmapi.dll and pulse_extension.dll) that execute a targeted attack sequence.
The malware locates the Ivanti Pulse Secure connection storage file at C:ProgramDataPulse SecureConnectionStoreconnectionstore.dat, extracts VPN server URIs, and constructs data strings containing stolen credentials along with hardcoded username and password information.
The malware establishes connections to a command-and-control server at IP address 4[.]239[.]95[.]1 on port 8080, hosted on Microsoft Azure infrastructure—a “Living off of Trusted Sites” (LOTS) technique designed to blend malicious traffic with legitimate cloud services.
After performing XOR-based deobfuscation, the malware exfiltrates stolen data via HTTP POST requests to the C2 path /income_shit, common slang in malware development for incoming stolen data.
The Ransomware Connection
This attack methodology bears hallmarks of campaigns previously linked to Akira ransomware deployment. VPN credential theft provides attackers with initial access to corporate networks, enabling reconnaissance, lateral movement, and ultimately, ransomware deployment—potentially causing catastrophic organizational damage.
Organizations should immediately implement multi-factor authentication for all remote access, educate users about downloading software from unverified sources, and monitor for outbound connections to suspicious IP addresses.
Security teams should be particularly vigilant regarding newly registered domains and cheap top-level domains like .shop and .top.
Zscaler’s cloud security platform detects this threat as Win32_PWS_Agent across multiple security layers. The company continues monitoring this evolving campaign, leveraging analysis of over 500 billion daily transactions to identify sophisticated threats before they execute damaging attacks.
This campaign underscores the critical importance of continuous threat hunting and proactive security measures in an era where even digitally signed software and top search results cannot be implicitly trusted.
Indicators of Compromise (IoCs)
| Type | Indicator |
|---|---|
| MD5 | 6e258deec1e176516d180d758044c019 |
| 32a5dc3d82d381a63a383bf10dc3e337 | |
| Filename | Ivanti-VPN.msi |
| IP Address | 4[.]239[.]95[.]1 |
| Domains | netml[.]shop |
| shopping5[.]shop | |
| ivanti-pulsesecure[.]com | |
| ivanti-secure-access[.]org | |
| URLs | netml[.]shop/get?q=ivanti |
| shopping5[.]shop/?file=ivanti | |
| C2 Path | /income_shit |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
