Three stories, one theme: control planes, supply chains, and human workflows remain high-leverage targets. 

This Secplicity blog follows the sequence and details covered by Marc Laliberte and Corey Nachreiner in The443 Podcast Episode 360. 

1) Cisco Catalyst SD-WAN 0-Day (CVSS 10): What happened 

Cisco disclosed and patched a 0-day vulnerability in the Catalyst SD-WAN controller and SD-WAN manager. The issue is scored 10 out of 10 on CVSS. 

• Cisco published an advisory. 
• Cisco Talos published a write-up. 

The vulnerability is described as an authorization bypass that can allow a remote attacker to log in as a high-privileged, non-root user, which can enable manipulation of network configuration on SD-WAN controllers. The write-up also notes an escalation path to root by downgrading, exploiting a 2022 vulnerability, and upgrading again. 

Why this matters operationally 

An internet-exposed SD-WAN controller is an edge-adjacent control-plane system. If it is compromised, an attacker can effectively peer into the network and gain access behind it. These controllers often sit at the gateway, sometimes in front of routing or security devices, which makes them a strategic position for an adversary. 

Cisco and Talos associate exploitation with a China-based threat actor, with activity dating back to at least 2023. In some cases, attackers achieved root persistence via the downgrade-exploit-upgrade mechanism. In most other cases described, attackers established unauthorized SD-WAN peering connections that can look normal unless teams are paying close attention, but still provide access. 

2) What MSPs should do: Patch, verify, and hunt 

Patch immediately, then validate remediation 

Upgrade affected Catalyst SD-WAN controller and manager systems. For MSP operations, remediation is not complete until it is verified at scale. 

Minimum verification standard: 

• Confirm versions post-upgrade across all managed instances. 
• Record verification timestamps. 
• Tie changes back to tickets or change records. 

Manually review all SD-WAN peering connections 

Cisco guidance includes manually reviewing SD-WAN peering connections for unexpected activity. 

Important nuance from the discussion: the “IOC” involved is not a unique malicious log event. It is a legitimate peering log you would normally see. The real check is whether the peering clients and IP addresses are the ones you expect. 

What to look for: 

• Peerings that do not map to known sites, tenants, or providers 
• Peerings created or changed outside approved change control 
• Unexpected IP addresses associated with peering activity 

Hunt for the “minor IOC” related to vmanage-admin 

Cisco also points to a smaller indicator: 

• Look for SSH authentication log entries related to “accept public key” for vmanage-admin. 

Practical triage: 

• Pull SSH authentication logs for the exposure window. 
• Investigate any vmanage-admin public key acceptance that does not match known admin workflows. 
• Treat unexplained findings as potential compromise until ruled out. 

Treat edge devices like software: update cadence matters 

Network firmware and appliance updates should be checked on a regular cadence. Even if updates land less frequently than application patches, the check-and-update motion needs to be consistent. 

3) Shai-Hulud style NPM worm: Poisoning AI toolchains 

Researchers at Socket, a supply chain security company, published research describing a Shai-Hulud style NPM worm poisoning AI toolchains. 

Quick refresher: 

• NPM is the Node Package Manager index, a widely used open-source ecosystem for JavaScript libraries (front-end and back-end). 
• Shai-Hulud references the sandworm in Dune and has been used to label self-propagating worm campaigns in the NPM ecosystem. 
• Prior campaigns included self-replicating worms that stole secrets and infected other packages, with significant impact. 

How malicious packages get into ecosystems (as covered) 

Common paths include: 

• Typosquatting (near-identical package names) 
• Taking over packages when a maintainer abandons one (design weaknesses and ownership transitions) 
• Social engineering maintainers for credentials and using a legitimate package as “patient zero” (the prior example discussed was a popular package compromise used to seed propagation) 

What this specific campaign did 

• Deployed across 19 malicious NPM packages initially. 
• Primarily used typosquatting. 
• Named “sandworm mode” based on environment variables embedded in the malware used as a toggle flag (likely controlling propagation behavior). 

Concrete example: 

• support-color impersonating legitimate supports-color. 
• A subtle naming difference can be enough to trick developers, and ordering or tab-complete behavior can increase the likelihood of selecting the malicious one. 

Propagation and tooling abuse 

Propagation used a combination of: 

• Weaponized GitHub Actions (automation workflows in repositories) 
• Secret harvesting, which can enable automated spread to other packages and repos 

AI-specific targeting: MCP server prompt injection 

Modules directly targeted AI coding assistants: 

• A malicious MCP server is written locally on a developer workstation. 
• Tools are registered that appear benign, including names like: 
• index_project 
• lint_check 
• scan_dependencies 

Each tool contained embedded prompt injections instructing an AI coding assistant to steal SSH keys and sensitive environment variables, save them adjacent, and avoid notifying the user. 

“Living off the land” AI polymorphism 

The malware also included a dormant polymorphic engine that looks for local installations of Ollama and uses local LLM tooling to rewrite code dynamically. This is a “living off the land” approach, but applied to local AI tooling. 

Multi-stage behavior and destructive failsafe 

Stages described: 

1. JavaScript loader 
2. Lightweight credential harvester (developer secrets in working directory) 
3. Deep harvester (additional secrets, databases, crypto wallet keys) 
4. Propagation and persistence 

A notable detail: a “dead switch” behavior where loss of GitHub connectivity can trigger self-destruction, including deleting contents of the user’s home directory. 

MSP takeaway 

Supply chain threats are not theoretical. If your operations include scripts, integrations, internal tooling, or any code-based automation, treat dependency risk as production risk. 

Operational controls that map directly to this threat: 

• Pin dependencies and enforce lockfiles 
• Require review for dependency changes 
• Scan for secrets in repos and CI logs 
• Apply software composition analysis and SBOM practices 
• Limit AI tool access to secrets by default, including SSH keys and environment variable stores 

4) Fake job interviews targeting developers: Bitbucket repos and VS Code execution paths 

Microsoft Defender researchers published an analysis of a coordinated campaign designed to compromise software developers using fake job interviews as the lure. 

How it was detected: 

• Defender telemetry showed outbound connections to known attacker command-and-control infrastructure. 
• Connections originated from Node.js processes on compromised systems. 

Initial delivery: 

• Traced back to malicious software repositories hosted on Bitbucket. 
• Additional related repos were identified through naming patterns and code structure similarities. 

Three execution paths described 

All three paths ultimately ran attacker-controlled JavaScript on developer machines: 

1. VS Code workspace automation triggered via the “folder open” hook 
2. The developer manually runs the application, which decodes a base64-encoded URL and retrieves a JavaScript loader hosted on a trusted external platform 
3. Use of environment files and application logic to open a backdoor to attacker servers 

Post-exploitation flow 

• A first-stage beacon registers the victim system with attacker infrastructure. 
• A second-stage JavaScript loader enables in-memory execution (fileless behavior). 
• Exfiltration mechanisms are included. 

Practical defense that fits real workflows 

VS Code includes a control that matters here: 

• When opening a new folder, VS Code prompts whether the folder is trusted. 
• Selecting “no” disables a set of automations and hooks that can execute without user awareness. 

Human safety checks from the discussion also apply: 

• Be wary of code tests arriving before meaningful interaction with a legitimate employer. 
• Do not treat unsolicited projects as safe by default. 
• Pause before trusting and running unknown code. 

What ties these together 

• Control-plane and edge systems remain prime targets. 
• Supply chain compromise continues to scale impact, now intersecting with AI-assisted development workflows. 
• Social engineering targets the moment a human opens or runs code, and modern dev tooling can execute on “open” events.

Let’s be honest: cybersecurity rules are not exactly thrilling. But if your company supports the U.S. Department of Defense (DoD), CMMC (Cybersecurity Maturity Model Certification) is becoming increasingly difficult to ignore. 

At its core, CMMC exists for one simple reason: to help ensure sensitive government information does not fall into the wrong hands. With cyberattacks becoming more common and more sophisticated, that goal matters more than ever. The DoD has now begun a phased implementation of CMMC requirements in contracts, which makes 2026 a critical window to prepare. (See the DoD’s official overview of CMMC phased implementation and the detailed CMMC “About” page. 

So why is CMMC such a big deal?  

Here is the plain-English breakdown: 

1) Attackers Target the Weakest Link, and CMMC Fixes That 

Defense contractors handle valuable data, from technical designs to operational details. Hackers know this. Instead of attacking the government directly, they often target smaller contractors with weaker security measures because it is faster, cheaper, and easier. 

CMMC helps close those gaps by making sure everyone in the defence supply chain follows basic cybersecurity practices. In other words, it strengthens the whole system, not just the big players. 

2) It Turns “We Think We’re Secure” Into “We Can Prove It” 

Before CMMC, many companies self-reported that they were meeting cybersecurity requirements. That worked sometimes, but self-attestation made it easier for gaps to go unnoticed, or for compliance to look better on paper than it was in practice. 

CMMC changes that by shifting the mindset from “we say we do this” to “we can demonstrate we do this.” For most levels, it introduces assessments and affirmations that help verify your security controls. That is a good thing, especially when real data is on the line. 

For the formal foundation behind the program, the CMMC Program Rule is published as a final rule in the Federal Register and codified in the eCFR (32 CFR Part 170).

3) It Actually Helps Your Business, Not Just the Government 

CMMC is not just about pleasing auditors. The practices it requires, like access controls, incident response plans, and system monitoring, make your company more resilient. They help reduce the chance of a breach, and they make it easier to recover if something does happen. 

That means: 

• Fewer surprises when something goes wrong 
• Less downtime after an attack 
• Better protection for your own data, too 

Think of it like installing a security system in your house. You may do it because it is required, but you also sleep better at night. 

4) It Builds Trust With the DoD  

When you are CMMC compliant, you are essentially telling the DoD, “We take your data seriously.” That goes a long way, especially in a supply chain where one weak link can create risk for everyone. 

Trust leads to: 

• More contract opportunities and eligibility 
• Stronger relationships with prime contractors 
• Faster onboarding as a subcontractor 
• A better reputation in the defence market 

In a competitive space, that trust can be the difference between winning and losing a contract. 

This is also why CMMC is increasingly showing up directly in contract language through DFARS clauses  

such as DFARS 252.204-7021 (and related notices like DFARS 252.204-7025). 

5) It Gives You a Competitive Advantage (Especially Right Now) 

Not every company is ready for CMMC yet. The ones that prepare early stand out. 

Being CMMC-ready means: 

• You are not scrambling when a contract requires it 
• You avoid last-minute fixes, which are expensive 
• You look more professional and prepared than your competitors 
• You can prove your security posture during due diligence 
• You look lower risk to primes and the DoD 

In a competitive bidding process, that readiness can be the difference between being shortlisted or being screened out. 

In short, it is not just compliance. It is a business strategy. 

6) It Supports National Security 

This might sound dramatic, but it’s true. Cyberattacks can weaken military readiness. When sensitive information is stolen or systems are disrupted, real-world missions can be affected. 

By raising cybersecurity standards across thousands of contractors, CMMC helps protect the country’s defense infrastructure. Each compliant company becomes another layer of protection. 

Final Thoughts 

CMMC is important because it goes beyond paperwork. It changes how companies think about cybersecurity, from something optional to something essential. 

If you work with the DoD, CMMC isn’t just a rule to follow. It’s proof that your organization is ready to protect what matters most in an increasingly digital world. 

Bottom line: CMMC isn’t about making life harder. It’s about making systems safer and businesses stronger. 

Introduction

At the turn of the year, we were alerted to a doppelganger domain impersonating WatchGuard’s Mobile VPN with SSL, delivering a malicious spoofed client to steal credentials. Navigating directly to the doppelganger domain resulted in a benign informational WatchGuard VPN page. However, when navigating to the page from a search engine, it redirected the user to what appears to be an official WatchGuard download page for Mobile VPN with SSL software. When clicking download, a ZIP folder from a GitHub account is served. The resulting client sends credentials to a C2 server with no other malware observed.

The methodologies were eerily similar to those in a recent ZScalar blog post showing an SEO poisoning campaign targeting Ivanti’s Pulse Secure VPN Client. Albeit the resulting client was a bit more complex than the WatchGuard-spoofed client. Still the same result: credential theft. That research led to similar reporting from The DFIR Report, where the attackers used SEO poisoning to deliver a trojanized ManageEngine OpManager client with Bumblebee malware, ultimately leading to Akira ransomware. A Cyjax report echoed much of the same, but involving a few more vendors. Then, as research was ongoing, Cyber Security News published a report targeting Fortinet’s FortiClient that mirrored what we just observed. It was obvious that these weren’t just one-off efforts but a sustained, concerted credential campaign, likely from the same threat actor.

Based on the aforementioned reporting, it’s likely this is a ransomware affiliate using these credentials to gain a foothold in networks with the intent to deploy ransomware, such as Akira. Using the IoCs from those reports, combined with the WatchGuard VPN spoofed client infrastructure, we were able to identify doppelganger domains for various other VPN providers that lack fully implemented backend logic, meaning this threat actor is sitting on domains to continue these attacks in the weeks and months ahead. We were able to find infrastructure targeting the following vendors and products:

• Check Point Remote Access VPN
• Cisco AnyConnect Secure Client
• Citrix Secure Access
• F5 BIG-IP
• Fortinet FortiClient VPN
• Ivanti Secure Access Client
• OpenConnect VPN
• Hanwha Vision America Wisenet Viewer
• ManageEngine ADManager Plus
• Network Optix Nx Witness
• Palo Alto Networks GlobalProtect
• QNAP Qfinder Pro
• SonicWall NetExtender
• Sophos Connect
• WatchGuard Mobile VPN with SSL & Firebox VPN with SSL

Currently, the threat actor has the infrastructure in place for five of these vendors and are/were actively stealing credentials:

• WatchGuard Mobile VPN with SSL
• F5 BIG-IP
• Fortinet FortiClient VPN
• SonicWall NetExtender
• Sophos Connect

The purpose of this blog is to append prior research on the breadth of this campaign and some of the nuances between them, and, more importantly, to provide IoCs of their infrastructure to thwart these attacks before they begin.

WatchGuard

When searching for “watchguard vpn” in Bing, Copilot produces one of the doppelganger websites: watchguard-vpn[.]net. At the time of research, there was no backend logic to direct users to the spoofed downloads page.

We were also able to reproduce it using Google, but a malicious domain took a while to find naturally, which is a good thing.

Navigating to one of these domains, such as watchguard-vpn[.]com, one of the two domains hosting the malicious WatchGuard applications, reveals a seemingly simple downloads page. However, there are no external links or mechanisms to download software unless you’re on the /download.html path.

The other domain hosting a malicious credential-stealing application is firebox-ssl[.]com. They both host the application on the /download.html path. The download webpage is navigable if you enter the full URL directly; if you come from any of the specified search engines, it will be redirected to the downloads page.

The fake downloads page mirrors the official WatchGuard page, with the only difference being the download link for the malicious ZIP hosted on GitHub (MD5: 53b461a0eb4a18d76ad7e687a71d3334). The ZIP folder’s location is visible when hovering over the Windows download link.

The repository was created on December 25, 2025, and contains only a ZIP file

The ZIP contains a .NET executable (MD5: 9f0126592145772a25c5b5c00469414d).

The executable is signed with an unknown digital signature from Taiyuan Lihua Near Information Technology Co., Ltd.

Comparing the legitimate VPN client with the fake one reveals it’s an exact clone. Although the genuine software is not a .NET executable.

Entering arbitrary information and clicking Connect results in an error window for an unsupported version. However, on the back end, that information was sent to the attacker’s C2 server, a common tactic where attackers use decoy error prompts to trick the user into thinking nothing malicious occurred.

Inspecting the code reveals the C2 domain within the CheckServer function.

This is confirmed on a packet capture.

Using VirusTotal and searching for files that share the same code-signing certificate yields results similar to ZScalar’s reporting.

The spoofed Ivanti files, signed with a different malicious signing certificate, produced very similar executables, furthering the assumption that this is the same threat actor(s).

Based on the related files, infrastructure, and behaviors, it’s evident that this is likely the same threat actor(s) casting a wide net to spoof VPN providers. Only this time, it affects WatchGuard, as well as many others, which you’ll find in the rest of the report. The main premise of this campaign is to steal VPN credentials to gain access to networks in furtherance of what is likely data exfiltration and/or ransomware, and this assumption is based on prior research, not direct evidence. After researching the WatchGuard portion and finding related reports, we investigated other similar-looking domains. For example, here is one targeting F5’s BIG-IP client.

F5

After navigating to these domains, it was clear this was the same campaign, and one of them was a GitHub Pages domain (big-ip-client[.]github[.]io). This means there’s also a GitHub repository behind this page containing what we thought was another spoofed executable. However, the repository told a different story.

The repository began around the same time as the WatchGuard one – late December 2025. The code only contained the HTML, CSS, and JS required for the doppelganger pages.

 

However, there existed a JS file (script.js) (MD5: 7b9da837d7caaca24d7a3a496f8e606b) that stood out.

Alas, this is the script that steers users from search engines. The script does the following:

• Defines the redirect URL
• Defines specific referer headers from:
  • Bing
  • DuckDuckGo
  • Google
  • Yahoo
  • ChatGPT
  • Copilot
  • Qwant
  • Ecosia
  • NAVER
• Defines filters for specific operating systems
  • Windows only
• Defines filters for specific browsers
  • Chrome
  • Firefox
  • Safari
  • Edge
  • Opera

Thus, if a user clicks on one of the domains with this script, they will be redirected to the fake download URL if:

• The Referer header is from one of the defined search engines
• is on a Windows machine
• and uses one of the listed browsers

Visiting the redirect URL directly shows another spoofed website. Although there’s no ZIP or executable.

This time, when clicking DOWNLOAD, a modal window appears, and when entering dummy data, another familiar error appears. Naturally, a packet capture was performed to confirm another familiar-looking domain – house-connection[.]pro.

Naturally, a packet capture was performed to confirm another familiar-looking domain – house-connection[.]pro.

So, now we have at least two confirmed credential-harvesting campaigns that look very similar. We looked into a few more.

Fortinet

Yet again, there’s the same-looking landing page, but for Fortinet (FortiClient).

We found some targeting Mac users.

Also, some targeting users from other countries. This one is for French speakers.

We were able to uncover yet another GitHub. This one began in 2023 and is related to Artisan and Giesen, a coffee company. However, it was recently updated in the last few months for this campaign.

Again, no executable, but another script.js (MD5: 16d3caab742f610d54030f7112757187). It is the same as the BIG-IP one, but with a different redirect.

The redirect URL points to yet another spoofed download page, this time for FortiClient 7.4.

Scrolling down and clicking a DOWNLOAD link produces the same-looking modal window.

Throws the same-looking error.

This time it sent credentials directly to myfiles2[.]download. This time, we discovered a counter (attempt). After the first attempt, the link downloads the actual FortiClient client.

SonicWall

Onto SonicWall’s NetExtender. Similar webpage, but targeting MacOS.

The second webpage we found looked very different from the others and had no Download workable link.

A few seconds after navigating to the webpage, an unprovoked modal window appears.

Inserting dummy data throws another error message.

A packet capture confirmed data exfiltration to a C2 server (5913261[.]cc)

Inspecting the page reveals a JS file, called popup.js (MD5: 24bbd9a0732172730d5653eab213c082), that is not present on other vendor pages.

The script contained normal behavior to invoke a modal window, but the bottom of the script told the whole story. The script defines the C2, and a defined variable points to the actual NetExtender client. The script's logic mimics the behavior we saw on the spoofed FortiClient page. The first “download” action sends the credentials to the C2. It then sets “attempt” to 2, so every subsequent click is treated as the second click, downloading the legitimate executable.

The processes are all a bit different, but the end result is the same: to steal credentials on the first attempt, throw a benign error to make it look legitimate, and, in some cases, ensure the user directs a legit installer on subsequent attempts.

Sophos

The final vendor that the threat actors had active at the time of research was Sophos Connect. Searching for “sophos connect client” results in the same SEO poisoning attack as the others.

The resulting webpage.

Although this webpage didn’t yet have the logic to serve the malicious spoofed client, we were able to access the GitHub page where it is hosted via related infrastructure. It was also created in mid-to-late December.

This one did contain a ZIP (MD5: 85b0472aa928d61fc338b99832bd1fbd) and subsequent executable (MD5: ec6212c853cbbdc02b5158b4fb3548fb). The executable, just like the WatchGuard one, directly spoofed the VPN client. Although this one was more like the Ivanti client discussed by ZScalar and was not a simple .NET application akin to the WatchGuard one.

Side-by-side comparison of the real and fake clients.

Throwing some dummy data in the client and attempting to log in shows the C2: postgresql-download/Server.

Packet capture for confirmation.

Other Spoofed Webpages

We found a slew of doppelganger domains containing spoofed webpages from a bunch of other VPN providers. These domains are listed in the IoCs table. Most look very similar, as if spun up by an automated tool, while others look like direct clones of their legitimate counterparts.

Other Dissemination Techniques

We also found various forums and embedded iframes containing these references, indicating that SEO poisoning isn’t the only tactic used to trick users. Here’s an example of an embedded iframe on a compromised domain.

And an example of a spam comment to one of these domains.

We found a C2 that was spun up at the very end of research. Not yet connected to one of the spoofed providers.

• vpn-connection[.]pro (82.29.157.171)

Conclusion

To conclude, after we learned of the WatchGuard doppelganger domains and researched them, we discovered infrastructure targeting several other remote access and VPN providers. Most of them were under construction, in the process of being set up for further attacks, or had been taken down. Although we were able to find at least five vendors with active campaigns against them. This list is not exhaustive, and there’s likely more vendors being targeted, as well as other domains like the ones we found. Nonetheless, the endgame is all the same – credential theft.

The threat actor(s) register these domains and employ SEO poisoning, iframe overlays, and forum spam to support these attacks. The threat actor(s) use trusted infrastructure such as GitHub, Google Cloud, and Cloudflare because the IP addresses are usually not blocked. On its face, none of this looks malicious, but that’s the point.

Preventing these attacks as a user begins with awareness. Know what you’re clicking on, even if the results are high on search engine lists. If you ever have a hunch that something nefarious is going on, navigate to the vendors directly and find the appropriate download links. More technical countermeasures include multi-factor authentication (MFA) and a password manager. MFA will prevent unauthorized access even with stolen credentials, and a password manager makes changing those credentials easier and more secure.

Indicators of Compromise (IoCs)

Targeted Vendor	Targeted Product	Domain	IP Addresses
Check Point	Remote Access VPN Client	*[.]checkpoint-vpn[.]com	144.172.116.169
Cisco	AnyConnect (Secure Client)	*[.]cisco-anyconnect[.]de	172.86.123.53
Cisco	AnyConnect (Secure Client)	*[.]cisco-anyconnect[.]fr	80.249.132.130
Cisco	AnyConnect (Secure Client)	*[.]secure-client[.]org	172.67.184.205, 104.21.76.10
Citrix	Secure Access Client	*[.]citrix-secure-access[.]com	172.67.164.121, 104.21.34.199
F5	BIG-IP Client	*[.]big-ip-client[.]com	172.67.182.218, 104.21.91.249
F5	BIG-IP Client	*[.]big-ip-client[.]github[.]io	N/A
F5	BIG-IP Client	*[.]big-ip-client[.]net	80.249.132.130
Fortinet	FortiClient	*[.]forticlient-download[.]es	185.42.104.126
Fortinet	FortiClient	*[.]forticlient-for-mac[.]com	172.67.172.58, 104.21.30.70
Fortinet	FortiClient	*[.]forticlient-vpn[.]fr	104.21.44.244, 172.67.205.125
Fortinet	FortiClient	*[.]fortinet-vpn[.]com	144.172.116.169
Fortinet	FortiClient	*[.]vpn-fortinet[.]com	144.172.116.169
Fortinet	FortiClient	*[.]vpn-fortinet[.]github[.]io	N/A
FOSS	OpenConnect VPN	*[.]openconnect-download[.]com	199.59.243.228
Hanwha Vision America	Wisenet Viewer	*[.]wisenet-viewer[.]com	172.67.130.129, 104.21.3.85
ManageEngine	ADManager Plus	*[.]admanager-plus[.]com	172.67.186.98, 104.21.43.221
Network Optix	Nx Witness	*[.]nx-witness[.]com	104.21.66.91, 172.67.158.84
Network Optix	Nx Witness	*[.]nx-witness[.]org	172.67.191.72, 104.21.20.32
Palo Alto Networks	GlobalProtect	*[.]globalprotect[.]es	167.88.165.182
Palo Alto Networks	GlobalProtect	*[.]globalprotect-download[.]com	167.88.165.182
QNAP	Qfinder Pro	*[.]qfinder-pro[.]com	194.164.74.38
SonicWall	NetExtender	*[.]netextender-client[.]com	172.67.143.42, 104.21.46.238
SonicWall	NetExtender	*[.]netextender-sonicwall[.]com	104.21.19.99, 172.67.185.189
SonicWall	NetExtender	*[.]netextender-sonicwall[.]net	199.59.243.228
SonicWall	NetExtender	*[.]netextender-sonicwall[.]org	147.93.73.92
SonicWall	NetExtender	*[.]netextender-vpn[.]com	172.67.129.217, 104.21.1.189
SonicWall	NetExtender	*[.]sonicwall-netextender[.]com	104.21.75.212, 172.67.182.57
SonicWall	NetExtender	*[.]sonicwall-netextender[.]net	172.67.198.8, 104.21.68.190
SonicWall	NetExtender	*[.]sonicwall-netextender[.]org	104.21.18.117, 172.67.181.204
SonicWall	NetExtender	*[.]sonicwall-netextender[.]nl	144.172.116.169
SonicWall	NetExtender	*[.]sonicwall-netextender[.]de	104.21.54.226, 172.67.143.27
Sophos	Sophos Connect	*[.]sophos-connect[.]com	3.33.130.190, 15.197.148.33
Sophos	Sophos Connect	*[.]sophos-connect[.]org	80.249.132.131
WatchGuard	Mobile VPN with SSL	*[.]firebox-ssl[.]com	80.249.132.131
WatchGuard	Mobile VPN with SSL	*[.]watchguard-vpn[.]com	104.21.78.99, 172.67.220.52
WatchGuard	Mobile VPN with SSL	*[.]watchguard-vpn[.]net	74.208.236.39
WatchGuard	Mobile VPN with SSL	*[.]watchguard-vpn[.]org	80.249.132.131

C2s

Domain	IP Addresses
house-connection[.]pro	82.29.157.171
myfiles2[.]download	172.67.175.165, 104.21.72.52
5913261[.]cc	54.215.31.113
postgresql-download[.]com	172.67.206.108, 104.21.85.137
myconnection[.]pro	82.29.157.171
vpn-connection[.]pro	82.29.157.171

 

Hashes (MD5)

Targeted Product	Hash	File Type
Spoofed Sophos Connect	85b0472aa928d61fc338b99832bd1fbd	ZIP
Spoofed Sophos Connect	ec6212c853cbbdc02b5158b4fb3548fb	EXE
Spoofed WatchGuard VPN	53b461a0eb4a18d76ad7e687a71d3334	ZIP
Spoofed WatchGuard VPN	9f0126592145772a25c5b5c00469414d	EXE
F5 BIG-IP Steering Script	7b9da837d7caaca24d7a3a496f8e606b	JS
FortiClient Steering Script	16d3caab742f610d54030f7112757187	JS
SonicWall Popup Script	24bbd9a0732172730d5653eab213c082	JS

Repositories

github.com/big-ip-client

github.com/vpn-fortinet

github.com/wg-vpn

Malicious Code Signing Certificate Information

Name	Taiyuan Lihua Near Information Technology Co., Ltd.
Status	Valid
Issuer	Certum Extended Validation Code Signing 2021 CA
Valid From	10:45 AM 12/11/2025
Valid To	10:45 AM 12/11/2026
Valid Usage	Code Signing
Algorithm	sha256RSA
Thumbprint	731B7470AA8F16ADBDEF712A01C2FCBCA5A1D554
Serial Number	77 3D D2 F9 AD AC 8E 55 2D 11 AD 73 7D 17 F7 72

References

https://cybersecuritynews.com/fake-fortinet-sites/
https://cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign
https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/
https://x.com/g0njxa/status/2009596938815942858
https://zscaler.com/blogs/security-research/spoofed-ivanti-vpn-client-sites