Malicious Ivanti VPN Client Sites in Google Search Deliver Malware — Users Warned

Cybersecurity researchers at Zscaler have uncovered a sophisticated malware campaign that exploits search engine optimization (SEO) poisoning to distribute a trojanized version of the Ivanti Pulse Secure VPN client, targeting unsuspecting users seeking legitimate software downloads.

The Zscaler Threat Hunting team recently detected a surge in malicious activity leveraging SEO manipulation, primarily targeting Bing search engine users.

Cybercriminals are deploying lookalike domains and fake download pages designed to steal VPN credentials, providing attackers with a gateway into corporate networks—a tactic historically linked to devastating ransomware attacks, including the notorious Akira ransomware.

The campaign begins innocuously when users search for terms like “Ivanti Pulse Secure Download” on search engines.

Threat actors have successfully poisoned search results, ensuring their malicious websites appear prominently. Users are directed to fraudulent domains such as ivanti-pulsesecure[.]com and ivanti-secure-access[.]org, registered in September ...