Threat Actors Exploit Google Search with Fake Ivanti VPN Client Pages to Distribute Malware

Attackers have escalated their tactics to compromise organizations, leveraging search engine optimization (SEO) poisoning to deceive users seeking legitimate software downloads.

Recently, the Zscaler Threat Hunting team detected increased activity targeting users searching for “Ivanti Pulse Secure Download” on Google and Bing, with results leading them to attacker-controlled domains that distribute malware-laden installers.

This threat campaign marks a sophisticated evolution in initial access tactics, aiming to steal VPN credentials and facilitate subsequent attacks such as lateral movement and ransomware deployment.

SEO Poisoning and Malicious Installer Delivery

The campaign kicks off when users search for authentic Ivanti VPN client downloads and are presented with top-ranking results crafted by threat actors.

These sites mimic the official Ivanti download portals using lookalike domains like ivanti-pulsesecure[.]com and ivanti-secure-access[.]org, registered only days apart in September 2025.

Clicking these search results brings users to precise clones of genuine Ivanti pages; if accessed directly without a search engine referrer, the page appears benign, hiding malicious intent from casual observers and automated security scanners.

This is accomplished through referrer-based conditional content delivery, where only traffic with Bing or Google in the referrer header activates the malicious download functionality a sophisticated evasion tactic leveraging the trust in search engines and dynamic code execution.​

The actual payload is a trojanized MSI installer masquerading as the legitimate Ivanti VPN client. Notably, it is digitally signed, which increases user trust and helps bypass security controls.

Once executed, the installer deploys malicious DLLs, specifically dwmapi.dll and pulse_extension.dll, which contain the credential-stealing logic.

These DLLs target the Ivanti VPN client’s connection store at C:ProgramDataPulse SecureConnectionStoreconnectionstore.dat, extracting the stored VPN server URI.

The harvested URI is then packaged with hardcoded credentials and exfiltrated via an HTTP POST request to a command-and-control server hosted on Microsoft Azure, exploiting the Living off the Land (LOTS) technique to evade detection.

Before transmission, the stolen data undergoes XOR-based obfuscation to hinder analysis further.​

Links to Credential Theft and Ransomware Activity

The use of stolen VPN credentials allows attackers to move laterally within organizational networks, conduct reconnaissance, and ultimately deploy ransomware, such as Akira a tactic previously observed and linked to similar campaigns.

Zscaler researchers recommend immediate isolation of infected devices, enforcement of multi-factor authentication for VPN access, and real-time monitoring for outbound connections to suspicious domains and newly registered TLDs like .shop and .top.

Users are urged to avoid downloading software from unfamiliar sources and remain cautious of top search engine results for security-critical software.

Zscaler’s threat hunting operations provide advanced detection through crowdsourced telemetry and continuous hunting for emerging threats, underscoring the critical need for vigilance, proactive monitoring, and user education to defend against highly evasive, search-driven initial access campaigns.

Indicators of Compromise (IoCs)

Type	Indicator
MD5	6e258deec1e176516d180d758044c019
	32a5dc3d82d381a63a383bf10dc3e337
Filename	Ivanti-VPN.msi
IP Address	4[.]239[.]95[.]1
Domains	netml[.]shop
	shopping5[.]shop
	ivanti-pulsesecure[.]com
	ivanti-secure-access[.]org

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Threat Actors Exploit Google Search with Fake Ivanti VPN Client Pages to Distribute Malware appeared first on Cyber Security News.