























Our threat hunting team reconstructed the chain of events that leads to the download and execution of the trojanized VPN client:
Phase 1: SEO Poisoning
The attack begins when a user searches for keywords such as “Ivanti Pulse Secure Download” on a search engine. The threat actors in this campaign are heavily targeting the Bing search engine to poison the results, ensuring their malicious sites are top search results. The user is presented with results pointing to look-alike domains such as ivanti-pulsesecure[.]com (registered on 2025-09-19) or ivanti-secure-access[.]org (registered on 2025-09-14).

Phase 2: Malicious Landing Page
Upon clicking the link impersonating Ivanti, the user is directed to a threat actor-controlled website designed to impersonate the official Ivanti Pulse Secure download page. The site is a convincing replica, offering what appears to be a legitimate VPN client for download.



Phase 3: Trojanized Installer Download
When the user clicks the download button, the website initiates an HTTP request in the background to shopping5[.]shop/?file=ivanti. This URL, in turn, facilitates the download of a trojanized MSI installer from netml[.]shop/get?q=ivanti.
Notably, the downloaded MSI file is signed, a technique used to evade security detections and create a false sense of security for the end user.

Why we find this interesting
This attack stands out because it uses sophisticated SEO poisoning and lookalike domains to trick users into downloading a signed, trojanized installer that is largely undetected by security tools. The campaign demonstrates how attackers exploit trust in search engines and legitimate-looking files to bypass defenses and maximize victim impact.
What makes this campaign even more unique and evasive is its use of referrer-based conditional content delivery where the phishing website dynamically adjusts the content based on how it is accessed. If visited directly, the domain presents benign content without any download button, making it appear harmless to most analysts and security tools. However, when accessed via a Bing search (if Bing is present in the refer-URL), the original phishing content is displayed, including the malicious download link. This evasion strategy exploits the HTTP Referrer header and the trust in search engine referrals, tricking security vendors and analysts into misclassifying the domain as benign.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。