Search, Click, Steal: The Hidden Threat of Spoofed Ivanti VPN Client Sites
A recent malware campaign uses SEO poisoning on Bing to distribute a trojanized Ivanti Pulse Secure VPN client via lookalike domains. Users are tricked into downloading a malicious MSI installer that steals VPN credentials from the connectionstore. dat file. Stolen credentials are exfiltrated to a command and control server hosted on Azure infrastructure. The attack employs signed executables and referrer-based conditional content delivery to evade detection. This credential theft technique has been linked to subsequent Akira ransomware deployments. Organizations are advised to implement multi-factor authentication, conduct user awareness training, and monitor for suspicious network and endpoint activity. No CVE or known exploits in the wild are reported yet. The threat poses a medium severity risk due to credential compromise and potential ransomware follow-on attacks. European organizations using Ivanti Pulse Secure VPN are at risk, especially in countries with high adoption of this VPN solution and critical infrastructure sectors.
AI Analysis
Technical Summary
This threat involves a sophisticated malware campaign targeting users of the Ivanti Pulse Secure VPN client by leveraging SEO poisoning techniques on Bing search results. Attackers create lookalike domains such as ivanti-pulsesecure.com and ivanti-secure-access.org to host fake download pages that mimic legitimate Ivanti sites. When users download and install the trojanized MSI installer, the malware executes signed binaries to avoid detection by security software. The malware specifically targets the connectionstore.dat file, which stores VPN credentials, enabling the attacker to harvest these credentials stealthily. Exfiltration of stolen credentials is conducted to a command and control (C2) server hosted on Microsoft Azure infrastructure, complicating attribution and takedown efforts. The campaign uses referrer-based conditional content delivery, serving malicious payloads only when accessed via specific referrers, further evading automated detection and sandbox analysis. This credential theft is a precursor to deploying Akira ransomware, a known ransomware family that has previously targeted organizations after initial access via stolen VPN credentials. Although no CVE or public exploits are currently reported, the attack chain demonstrates advanced tactics, techniques, and procedures (TTPs) including SEO poisoning (T1190), credential access (T1555.001), signed binary abuse (T1553.002), and command and control over HTTPS (T1071.001). The campaign highlights the risk of supply chain and software distribution attacks targeting remote access infrastructure, a critical component of enterprise security.
Potential Impact
For European organizations, the impact of this threat is significant due to the reliance on VPN solutions like Ivanti Pulse Secure for secure remote access. Compromise of VPN credentials can lead to unauthorized network access, lateral movement, and data exfiltration. The subsequent deployment of Akira ransomware can cause operational disruption, data loss, and financial damage. Sectors such as finance, healthcare, government, and critical infrastructure are particularly vulnerable given their use of VPNs and the high value of their data. The use of Azure-hosted C2 infrastructure complicates incident response and attribution. Additionally, the stealthy nature of the attack, leveraging signed binaries and conditional payload delivery, increases the likelihood of prolonged undetected presence within networks. This can undermine trust in remote access solutions and increase the risk of widespread ransomware outbreaks in Europe.
Mitigation Recommendations
1. Implement Multi-Factor Authentication (MFA) for all VPN access to prevent unauthorized use of stolen credentials. 2. Educate users about the risks of downloading software from unofficial sources and the dangers of SEO poisoning attacks; promote verification of URLs before downloading. 3. Monitor DNS queries and web traffic for access to known malicious domains such as ivanti-pulsesecure.com and netml.shop. 4. Employ endpoint detection and response (EDR) solutions capable of detecting signed binary abuse and anomalous MSI installations. 5. Regularly audit and restrict access to VPN credential storage files like connectionstore.dat, applying least privilege principles. 6. Use network segmentation to limit lateral movement if VPN credentials are compromised. 7. Monitor outbound network traffic for unusual connections to Azure IP ranges associated with C2 servers. 8. Maintain up-to-date threat intelligence feeds to detect indicators of compromise (IOCs) such as hashes and domains listed in this campaign. 9. Conduct regular penetration testing and red team exercises simulating SEO poisoning and supply chain attacks to improve detection and response capabilities. 10. Coordinate with Ivanti for any security advisories or patches related to this threat.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Belgium, Sweden
Indicators of Compromise
- hash: 32a5dc3d82d381a63a383bf10dc3e337
- hash: 6e258deec1e176516d180d758044c019
- hash: ec443de3ed3d17515ce137fe271c885b4f09f03e
- url: http://netml.shop/get?q=ivanti
- url: http://shopping5.shop/?file=ivanti
- domain: ivanti-pulsesecure.com
- domain: ivanti-secure-access.org
- domain: netml.shop
- domain: shopping5.shop
Search, Click, Steal: The Hidden Threat of Spoofed Ivanti VPN Client Sites
Description
A recent malware campaign uses SEO poisoning on Bing to distribute a trojanized Ivanti Pulse Secure VPN client via lookalike domains. Users are tricked into downloading a malicious MSI installer that steals VPN credentials from the connectionstore. dat file. Stolen credentials are exfiltrated to a command and control server hosted on Azure infrastructure. The attack employs signed executables and referrer-based conditional content delivery to evade detection. This credential theft technique has been linked to subsequent Akira ransomware deployments. Organizations are advised to implement multi-factor authentication, conduct user awareness training, and monitor for suspicious network and endpoint activity. No CVE or known exploits in the wild are reported yet. The threat poses a medium severity risk due to credential compromise and potential ransomware follow-on attacks. European organizations using Ivanti Pulse Secure VPN are at risk, especially in countries with high adoption of this VPN solution and critical infrastructure sectors.
AI-Powered Analysis
Technical Analysis
This threat involves a sophisticated malware campaign targeting users of the Ivanti Pulse Secure VPN client by leveraging SEO poisoning techniques on Bing search results. Attackers create lookalike domains such as ivanti-pulsesecure.com and ivanti-secure-access.org to host fake download pages that mimic legitimate Ivanti sites. When users download and install the trojanized MSI installer, the malware executes signed binaries to avoid detection by security software. The malware specifically targets the connectionstore.dat file, which stores VPN credentials, enabling the attacker to harvest these credentials stealthily. Exfiltration of stolen credentials is conducted to a command and control (C2) server hosted on Microsoft Azure infrastructure, complicating attribution and takedown efforts. The campaign uses referrer-based conditional content delivery, serving malicious payloads only when accessed via specific referrers, further evading automated detection and sandbox analysis. This credential theft is a precursor to deploying Akira ransomware, a known ransomware family that has previously targeted organizations after initial access via stolen VPN credentials. Although no CVE or public exploits are currently reported, the attack chain demonstrates advanced tactics, techniques, and procedures (TTPs) including SEO poisoning (T1190), credential access (T1555.001), signed binary abuse (T1553.002), and command and control over HTTPS (T1071.001). The campaign highlights the risk of supply chain and software distribution attacks targeting remote access infrastructure, a critical component of enterprise security.
Potential Impact
For European organizations, the impact of this threat is significant due to the reliance on VPN solutions like Ivanti Pulse Secure for secure remote access. Compromise of VPN credentials can lead to unauthorized network access, lateral movement, and data exfiltration. The subsequent deployment of Akira ransomware can cause operational disruption, data loss, and financial damage. Sectors such as finance, healthcare, government, and critical infrastructure are particularly vulnerable given their use of VPNs and the high value of their data. The use of Azure-hosted C2 infrastructure complicates incident response and attribution. Additionally, the stealthy nature of the attack, leveraging signed binaries and conditional payload delivery, increases the likelihood of prolonged undetected presence within networks. This can undermine trust in remote access solutions and increase the risk of widespread ransomware outbreaks in Europe.
Mitigation Recommendations
1. Implement Multi-Factor Authentication (MFA) for all VPN access to prevent unauthorized use of stolen credentials. 2. Educate users about the risks of downloading software from unofficial sources and the dangers of SEO poisoning attacks; promote verification of URLs before downloading. 3. Monitor DNS queries and web traffic for access to known malicious domains such as ivanti-pulsesecure.com and netml.shop. 4. Employ endpoint detection and response (EDR) solutions capable of detecting signed binary abuse and anomalous MSI installations. 5. Regularly audit and restrict access to VPN credential storage files like connectionstore.dat, applying least privilege principles. 6. Use network segmentation to limit lateral movement if VPN credentials are compromised. 7. Monitor outbound network traffic for unusual connections to Azure IP ranges associated with C2 servers. 8. Maintain up-to-date threat intelligence feeds to detect indicators of compromise (IOCs) such as hashes and domains listed in this campaign. 9. Conduct regular penetration testing and red team exercises simulating SEO poisoning and supply chain attacks to improve detection and response capabilities. 10. Coordinate with Ivanti for any security advisories or patches related to this threat.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.zscaler.com/blogs/security-research/spoofed-ivanti-vpn-client-sites"]
- Adversary
- null
- Pulse Id
- 68ef1e76a4b321acc814160b
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash32a5dc3d82d381a63a383bf10dc3e337 | — | |
hash6e258deec1e176516d180d758044c019 | — | |
hashec443de3ed3d17515ce137fe271c885b4f09f03e | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://netml.shop/get?q=ivanti | — | |
urlhttp://shopping5.shop/?file=ivanti | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainivanti-pulsesecure.com | — | |
domainivanti-secure-access.org | — | |
domainnetml.shop | — | |
domainshopping5.shop | — |
Threat ID: 68ef5ff1c4f69c9730edcbd3
Added to database: 10/15/2025, 8:48:49 AM
Last enriched: 10/15/2025, 8:56:12 AM
Last updated: 10/15/2025, 5:41:11 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Anatomy of an Attack: The "BlackSuit Blitz" at a Global Equipment Manufacturer
MediumClipboard Pictures Exfiltration in Python Infostealer, (Wed, Oct 15th)
MediumThreatFox IOCs for 2025-10-14
MediumBombShell: UEFI shell vulnerabilities allow attackers to bypass Secure Boot on Framework Devices
MediumAstaroth Trojan Targets Windows, Uses GitHub Images to Stay Active After Takedowns
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.