The cybersecurity landscape is shifting quickly. In Episode 361 of The443 Podcast, Marc Laliberte and Corey Nachreiner discuss three emerging issues shaping modern security: 

• A critical authentication bypass in a popular JSON Web Token (JWT) library 
• An autonomous AI bot exploiting GitHub repositories at scale 
• A controversial age-verification law that could reshape online privacy 

While these topics span different areas of cybersecurity, they share a common theme: the intersection of automation, AI, and security controls is introducing both powerful defensive tools and new attack surfaces. 

Let’s break down the key lessons. 

A JWT Vulnerability Shows How Small Implementation Errors Become Critical Flaws 

The episode opens with a discussion about a recently discovered vulnerability in a Java JSON Web Token authentication library. 

For context, JSON Web Tokens (JWTs) are widely used in modern web applications for authentication. When a user logs into an application, the system creates a token containing information such as the user ID or privileges. The token is cryptographically signed so attackers cannot modify it without detection. 

In theory, this system is secure. In practice, the vulnerability demonstrates how fragile implementations can be. 

Researchers discovered that the library incorrectly handled a null return value during token validation. Instead of rejecting the request when a signed token could not be extracted, the code simply skipped the validation step entirely. 

That meant an attacker could: 

1. Create an unsigned token 
2. Encrypt it with the server’s public key 
3. Send it to the application 
4. Receive full authenticated access 

Because the token validation step never ran, the server accepted the unverified token and created a valid session. 

The flaw received a CVSS 10.0 score, highlighting how devastating small implementation mistakes can be in authentication systems. 

The good news is that the maintainers patched the issue within two business days. But the bigger story lies in how the vulnerability was discovered. 

AI-Assisted Vulnerability Discovery Is Becoming the New Normal 

The researchers who uncovered the JWT flaw did not find it through traditional manual auditing. 

Instead, the vulnerability was flagged by an AI-powered code analysis tool designed to identify risky patterns in software. 

This highlights an accelerating shift in cybersecurity. 

AI is now being used to: 

• Analyze massive codebases for security flaws 
• Detect insecure patterns in authentication logic 
• Automate vulnerability discovery 

For defenders, this is a powerful new capability. 

For attackers, it is equally powerful. 

As Corey points out in the episode, the barrier to entry for finding vulnerabilities is rapidly disappearing. Tasks that once required highly specialized expertise can now be assisted or accelerated by AI systems. 

In other words: 

Zero-day discovery may soon occur at machine speed. 

Organizations that fail to adopt AI-assisted security testing risk falling behind attackers who are already experimenting with these techniques. 

Autonomous AI Bots Are Now Attempting Real Attacks 

If the JWT story shows the promise of AI in security research, the next story highlights its darker potential. 

Researchers recently documented a week-long automated attack conducted by an AI agent built using an open-source system called OpenClaw. 

The bot, called HackerBot, was tasked with one simple objective: 

Find and exploit vulnerabilities in GitHub repositories. 

The AI scanned public repositories and targeted GitHub Actions workflows, which are commonly used to automate software development tasks like code testing, merging pull requests, and deployment. 

Out of seven targeted projects, the bot successfully compromised four. 

The attack methods included: 

• Injecting malicious code into pull request scripts 
• Exploiting workflows that executed untrusted code 
• Using branch names to inject shell commands into automation pipelines 

In one particularly creative example, the attacker embedded a malicious command directly into the branch name. Because the workflow piped the branch name into a shell command, the injected payload executed automatically. 

The bot also compromised a repository owned by Microsoft using this technique. 

In another case, it stole credentials from a compromised repository and used them to vandalize project files and upload suspicious artifacts to developer tools. 

This experiment demonstrated something significant: 

An AI agent can now execute large portions of the attack chain autonomously. 

The human operator only needed to provide the objective. 

The AI handled: 

• reconnaissance 
• vulnerability discovery 
• exploitation attempts 
• credential theft 

In at least one instance, the attack was blocked by defensive AI that detected the prompt injection attempt and flagged it as malicious. 

If that sounds like science fiction, it is not. 

It is AI vs. AI security warfare beginning to emerge in real-world environments. 

A New California Law Raises Questions About Privacy and Age Verification 

The final topic shifts away from direct cyber threats and toward internet governance. 

California recently passed Assembly Bill 1043, which will require operating systems to provide age verification signals for applications starting in 2027. 

The goal is simple: protect children from harmful online content. 

Instead of every website implementing its own age verification system, operating systems would verify a user’s age and share a simple age band with applications, such as: 

• under 13 
• 13 to 16 
• 16 to 18 
• over 18 

On paper, the idea sounds reasonable. 

In practice, it raises serious concerns. 

For example: 

• Current operating systems often rely on self-reported birth dates 
• Open-source operating systems may not be able to implement the requirement 
• Privacy risks increase if identity verification becomes mandatory 

Critics argue the law could create unintended consequences, including: 

• forcing platforms to collect more personal data 
• encouraging people to bypass verification with VPNs 
• complicating compliance for open-source ecosystems 

The broader issue is that age verification on the internet remains an unsolved problem. 

Centralized verification systems introduce privacy risks, while decentralized implementations often fail to prevent bypasses. 

As the hosts note, the likely outcome is that the first few attempts will be messy before the industry eventually settles on a workable standard. 

AI Is Reshaping Cybersecurity 

Across all three stories, one theme stands out. 

AI is fundamentally changing how cybersecurity works. 

It is accelerating: 

• vulnerability discovery 
• attack automation 
• defensive detection systems 

Security teams that adopt AI tools will gain powerful advantages. 

Those that do not may find themselves defending against threats that evolve faster than human analysts can respond. 

The cybersecurity industry is entering a new phase where automation, AI agents, and machine-assisted security research are becoming the norm rather than the exception. 

The key challenge now is ensuring these tools strengthen defenses faster than attackers can weaponize them. 

Let’s be honest: cybersecurity rules are not exactly thrilling. But if your company supports the U.S. Department of Defense (DoD), CMMC (Cybersecurity Maturity Model Certification) is becoming increasingly difficult to ignore. 

At its core, CMMC exists for one simple reason: to help ensure sensitive government information does not fall into the wrong hands. With cyberattacks becoming more common and more sophisticated, that goal matters more than ever. The DoD has now begun a phased implementation of CMMC requirements in contracts, which makes 2026 a critical window to prepare. (See the DoD’s official overview of CMMC phased implementation and the detailed CMMC “About” page. 

So why is CMMC such a big deal?  

Here is the plain-English breakdown: 

1) Attackers Target the Weakest Link, and CMMC Fixes That 

Defense contractors handle valuable data, from technical designs to operational details. Hackers know this. Instead of attacking the government directly, they often target smaller contractors with weaker security measures because it is faster, cheaper, and easier. 

CMMC helps close those gaps by making sure everyone in the defence supply chain follows basic cybersecurity practices. In other words, it strengthens the whole system, not just the big players. 

2) It Turns “We Think We’re Secure” Into “We Can Prove It” 

Before CMMC, many companies self-reported that they were meeting cybersecurity requirements. That worked sometimes, but self-attestation made it easier for gaps to go unnoticed, or for compliance to look better on paper than it was in practice. 

CMMC changes that by shifting the mindset from “we say we do this” to “we can demonstrate we do this.” For most levels, it introduces assessments and affirmations that help verify your security controls. That is a good thing, especially when real data is on the line. 

For the formal foundation behind the program, the CMMC Program Rule is published as a final rule in the Federal Register and codified in the eCFR (32 CFR Part 170).

3) It Actually Helps Your Business, Not Just the Government 

CMMC is not just about pleasing auditors. The practices it requires, like access controls, incident response plans, and system monitoring, make your company more resilient. They help reduce the chance of a breach, and they make it easier to recover if something does happen. 

That means: 

• Fewer surprises when something goes wrong 
• Less downtime after an attack 
• Better protection for your own data, too 

Think of it like installing a security system in your house. You may do it because it is required, but you also sleep better at night. 

4) It Builds Trust With the DoD  

When you are CMMC compliant, you are essentially telling the DoD, “We take your data seriously.” That goes a long way, especially in a supply chain where one weak link can create risk for everyone. 

Trust leads to: 

• More contract opportunities and eligibility 
• Stronger relationships with prime contractors 
• Faster onboarding as a subcontractor 
• A better reputation in the defence market 

In a competitive space, that trust can be the difference between winning and losing a contract. 

This is also why CMMC is increasingly showing up directly in contract language through DFARS clauses  

such as DFARS 252.204-7021 (and related notices like DFARS 252.204-7025). 

5) It Gives You a Competitive Advantage (Especially Right Now) 

Not every company is ready for CMMC yet. The ones that prepare early stand out. 

Being CMMC-ready means: 

• You are not scrambling when a contract requires it 
• You avoid last-minute fixes, which are expensive 
• You look more professional and prepared than your competitors 
• You can prove your security posture during due diligence 
• You look lower risk to primes and the DoD 

In a competitive bidding process, that readiness can be the difference between being shortlisted or being screened out. 

In short, it is not just compliance. It is a business strategy. 

6) It Supports National Security 

This might sound dramatic, but it’s true. Cyberattacks can weaken military readiness. When sensitive information is stolen or systems are disrupted, real-world missions can be affected. 

By raising cybersecurity standards across thousands of contractors, CMMC helps protect the country’s defense infrastructure. Each compliant company becomes another layer of protection. 

Final Thoughts 

CMMC is important because it goes beyond paperwork. It changes how companies think about cybersecurity, from something optional to something essential. 

If you work with the DoD, CMMC isn’t just a rule to follow. It’s proof that your organization is ready to protect what matters most in an increasingly digital world. 

Bottom line: CMMC isn’t about making life harder. It’s about making systems safer and businesses stronger. 

Introduction

At the turn of the year, we were alerted to a doppelganger domain impersonating WatchGuard’s Mobile VPN with SSL, delivering a malicious spoofed client to steal credentials. Navigating directly to the doppelganger domain resulted in a benign informational WatchGuard VPN page. However, when navigating to the page from a search engine, it redirected the user to what appears to be an official WatchGuard download page for Mobile VPN with SSL software. When clicking download, a ZIP folder from a GitHub account is served. The resulting client sends credentials to a C2 server with no other malware observed.

The methodologies were eerily similar to those in a recent ZScalar blog post showing an SEO poisoning campaign targeting Ivanti’s Pulse Secure VPN Client. Albeit the resulting client was a bit more complex than the WatchGuard-spoofed client. Still the same result: credential theft. That research led to similar reporting from The DFIR Report, where the attackers used SEO poisoning to deliver a trojanized ManageEngine OpManager client with Bumblebee malware, ultimately leading to Akira ransomware. A Cyjax report echoed much of the same, but involving a few more vendors. Then, as research was ongoing, Cyber Security News published a report targeting Fortinet’s FortiClient that mirrored what we just observed. It was obvious that these weren’t just one-off efforts but a sustained, concerted credential campaign, likely from the same threat actor.

Based on the aforementioned reporting, it’s likely this is a ransomware affiliate using these credentials to gain a foothold in networks with the intent to deploy ransomware, such as Akira. Using the IoCs from those reports, combined with the WatchGuard VPN spoofed client infrastructure, we were able to identify doppelganger domains for various other VPN providers that lack fully implemented backend logic, meaning this threat actor is sitting on domains to continue these attacks in the weeks and months ahead. We were able to find infrastructure targeting the following vendors and products:

• Check Point Remote Access VPN
• Cisco AnyConnect Secure Client
• Citrix Secure Access
• F5 BIG-IP
• Fortinet FortiClient VPN
• Ivanti Secure Access Client
• OpenConnect VPN
• Hanwha Vision America Wisenet Viewer
• ManageEngine ADManager Plus
• Network Optix Nx Witness
• Palo Alto Networks GlobalProtect
• QNAP Qfinder Pro
• SonicWall NetExtender
• Sophos Connect
• WatchGuard Mobile VPN with SSL & Firebox VPN with SSL

Currently, the threat actor has the infrastructure in place for five of these vendors and are/were actively stealing credentials:

• WatchGuard Mobile VPN with SSL
• F5 BIG-IP
• Fortinet FortiClient VPN
• SonicWall NetExtender
• Sophos Connect

The purpose of this blog is to append prior research on the breadth of this campaign and some of the nuances between them, and, more importantly, to provide IoCs of their infrastructure to thwart these attacks before they begin.

WatchGuard

When searching for “watchguard vpn” in Bing, Copilot produces one of the doppelganger websites: watchguard-vpn[.]net. At the time of research, there was no backend logic to direct users to the spoofed downloads page.

We were also able to reproduce it using Google, but a malicious domain took a while to find naturally, which is a good thing.

Navigating to one of these domains, such as watchguard-vpn[.]com, one of the two domains hosting the malicious WatchGuard applications, reveals a seemingly simple downloads page. However, there are no external links or mechanisms to download software unless you’re on the /download.html path.

The other domain hosting a malicious credential-stealing application is firebox-ssl[.]com. They both host the application on the /download.html path. The download webpage is navigable if you enter the full URL directly; if you come from any of the specified search engines, it will be redirected to the downloads page.

The fake downloads page mirrors the official WatchGuard page, with the only difference being the download link for the malicious ZIP hosted on GitHub (MD5: 53b461a0eb4a18d76ad7e687a71d3334). The ZIP folder’s location is visible when hovering over the Windows download link.

The repository was created on December 25, 2025, and contains only a ZIP file

The ZIP contains a .NET executable (MD5: 9f0126592145772a25c5b5c00469414d).

The executable is signed with an unknown digital signature from Taiyuan Lihua Near Information Technology Co., Ltd.

Comparing the legitimate VPN client with the fake one reveals it’s an exact clone. Although the genuine software is not a .NET executable.

Entering arbitrary information and clicking Connect results in an error window for an unsupported version. However, on the back end, that information was sent to the attacker’s C2 server, a common tactic where attackers use decoy error prompts to trick the user into thinking nothing malicious occurred.

Inspecting the code reveals the C2 domain within the CheckServer function.

This is confirmed on a packet capture.

Using VirusTotal and searching for files that share the same code-signing certificate yields results similar to ZScalar’s reporting.

The spoofed Ivanti files, signed with a different malicious signing certificate, produced very similar executables, furthering the assumption that this is the same threat actor(s).

Based on the related files, infrastructure, and behaviors, it’s evident that this is likely the same threat actor(s) casting a wide net to spoof VPN providers. Only this time, it affects WatchGuard, as well as many others, which you’ll find in the rest of the report. The main premise of this campaign is to steal VPN credentials to gain access to networks in furtherance of what is likely data exfiltration and/or ransomware, and this assumption is based on prior research, not direct evidence. After researching the WatchGuard portion and finding related reports, we investigated other similar-looking domains. For example, here is one targeting F5’s BIG-IP client.

F5

After navigating to these domains, it was clear this was the same campaign, and one of them was a GitHub Pages domain (big-ip-client[.]github[.]io). This means there’s also a GitHub repository behind this page containing what we thought was another spoofed executable. However, the repository told a different story.

The repository began around the same time as the WatchGuard one – late December 2025. The code only contained the HTML, CSS, and JS required for the doppelganger pages.

 

However, there existed a JS file (script.js) (MD5: 7b9da837d7caaca24d7a3a496f8e606b) that stood out.

Alas, this is the script that steers users from search engines. The script does the following:

• Defines the redirect URL
• Defines specific referer headers from:
  • Bing
  • DuckDuckGo
  • Google
  • Yahoo
  • ChatGPT
  • Copilot
  • Qwant
  • Ecosia
  • NAVER
• Defines filters for specific operating systems
  • Windows only
• Defines filters for specific browsers
  • Chrome
  • Firefox
  • Safari
  • Edge
  • Opera

Thus, if a user clicks on one of the domains with this script, they will be redirected to the fake download URL if:

• The Referer header is from one of the defined search engines
• is on a Windows machine
• and uses one of the listed browsers

Visiting the redirect URL directly shows another spoofed website. Although there’s no ZIP or executable.

This time, when clicking DOWNLOAD, a modal window appears, and when entering dummy data, another familiar error appears. Naturally, a packet capture was performed to confirm another familiar-looking domain – house-connection[.]pro.

Naturally, a packet capture was performed to confirm another familiar-looking domain – house-connection[.]pro.

So, now we have at least two confirmed credential-harvesting campaigns that look very similar. We looked into a few more.

Fortinet

Yet again, there’s the same-looking landing page, but for Fortinet (FortiClient).

We found some targeting Mac users.

Also, some targeting users from other countries. This one is for French speakers.

We were able to uncover yet another GitHub. This one began in 2023 and is related to Artisan and Giesen, a coffee company. However, it was recently updated in the last few months for this campaign.

Again, no executable, but another script.js (MD5: 16d3caab742f610d54030f7112757187). It is the same as the BIG-IP one, but with a different redirect.

The redirect URL points to yet another spoofed download page, this time for FortiClient 7.4.

Scrolling down and clicking a DOWNLOAD link produces the same-looking modal window.

Throws the same-looking error.

This time it sent credentials directly to myfiles2[.]download. This time, we discovered a counter (attempt). After the first attempt, the link downloads the actual FortiClient client.

SonicWall

Onto SonicWall’s NetExtender. Similar webpage, but targeting MacOS.

The second webpage we found looked very different from the others and had no Download workable link.

A few seconds after navigating to the webpage, an unprovoked modal window appears.

Inserting dummy data throws another error message.

A packet capture confirmed data exfiltration to a C2 server (5913261[.]cc)

Inspecting the page reveals a JS file, called popup.js (MD5: 24bbd9a0732172730d5653eab213c082), that is not present on other vendor pages.

The script contained normal behavior to invoke a modal window, but the bottom of the script told the whole story. The script defines the C2, and a defined variable points to the actual NetExtender client. The script's logic mimics the behavior we saw on the spoofed FortiClient page. The first “download” action sends the credentials to the C2. It then sets “attempt” to 2, so every subsequent click is treated as the second click, downloading the legitimate executable.

The processes are all a bit different, but the end result is the same: to steal credentials on the first attempt, throw a benign error to make it look legitimate, and, in some cases, ensure the user directs a legit installer on subsequent attempts.

Sophos

The final vendor that the threat actors had active at the time of research was Sophos Connect. Searching for “sophos connect client” results in the same SEO poisoning attack as the others.

The resulting webpage.

Although this webpage didn’t yet have the logic to serve the malicious spoofed client, we were able to access the GitHub page where it is hosted via related infrastructure. It was also created in mid-to-late December.

This one did contain a ZIP (MD5: 85b0472aa928d61fc338b99832bd1fbd) and subsequent executable (MD5: ec6212c853cbbdc02b5158b4fb3548fb). The executable, just like the WatchGuard one, directly spoofed the VPN client. Although this one was more like the Ivanti client discussed by ZScalar and was not a simple .NET application akin to the WatchGuard one.

Side-by-side comparison of the real and fake clients.

Throwing some dummy data in the client and attempting to log in shows the C2: postgresql-download/Server.

Packet capture for confirmation.

Other Spoofed Webpages

We found a slew of doppelganger domains containing spoofed webpages from a bunch of other VPN providers. These domains are listed in the IoCs table. Most look very similar, as if spun up by an automated tool, while others look like direct clones of their legitimate counterparts.

Other Dissemination Techniques

We also found various forums and embedded iframes containing these references, indicating that SEO poisoning isn’t the only tactic used to trick users. Here’s an example of an embedded iframe on a compromised domain.

And an example of a spam comment to one of these domains.

We found a C2 that was spun up at the very end of research. Not yet connected to one of the spoofed providers.

• vpn-connection[.]pro (82.29.157.171)

Conclusion

To conclude, after we learned of the WatchGuard doppelganger domains and researched them, we discovered infrastructure targeting several other remote access and VPN providers. Most of them were under construction, in the process of being set up for further attacks, or had been taken down. Although we were able to find at least five vendors with active campaigns against them. This list is not exhaustive, and there’s likely more vendors being targeted, as well as other domains like the ones we found. Nonetheless, the endgame is all the same – credential theft.

The threat actor(s) register these domains and employ SEO poisoning, iframe overlays, and forum spam to support these attacks. The threat actor(s) use trusted infrastructure such as GitHub, Google Cloud, and Cloudflare because the IP addresses are usually not blocked. On its face, none of this looks malicious, but that’s the point.

Preventing these attacks as a user begins with awareness. Know what you’re clicking on, even if the results are high on search engine lists. If you ever have a hunch that something nefarious is going on, navigate to the vendors directly and find the appropriate download links. More technical countermeasures include multi-factor authentication (MFA) and a password manager. MFA will prevent unauthorized access even with stolen credentials, and a password manager makes changing those credentials easier and more secure.

Indicators of Compromise (IoCs)

Targeted Vendor	Targeted Product	Domain	IP Addresses
Check Point	Remote Access VPN Client	*[.]checkpoint-vpn[.]com	144.172.116.169
Cisco	AnyConnect (Secure Client)	*[.]cisco-anyconnect[.]de	172.86.123.53
Cisco	AnyConnect (Secure Client)	*[.]cisco-anyconnect[.]fr	80.249.132.130
Cisco	AnyConnect (Secure Client)	*[.]secure-client[.]org	172.67.184.205, 104.21.76.10
Citrix	Secure Access Client	*[.]citrix-secure-access[.]com	172.67.164.121, 104.21.34.199
F5	BIG-IP Client	*[.]big-ip-client[.]com	172.67.182.218, 104.21.91.249
F5	BIG-IP Client	*[.]big-ip-client[.]github[.]io	N/A
F5	BIG-IP Client	*[.]big-ip-client[.]net	80.249.132.130
Fortinet	FortiClient	*[.]forticlient-download[.]es	185.42.104.126
Fortinet	FortiClient	*[.]forticlient-for-mac[.]com	172.67.172.58, 104.21.30.70
Fortinet	FortiClient	*[.]forticlient-vpn[.]fr	104.21.44.244, 172.67.205.125
Fortinet	FortiClient	*[.]fortinet-vpn[.]com	144.172.116.169
Fortinet	FortiClient	*[.]vpn-fortinet[.]com	144.172.116.169
Fortinet	FortiClient	*[.]vpn-fortinet[.]github[.]io	N/A
FOSS	OpenConnect VPN	*[.]openconnect-download[.]com	199.59.243.228
Hanwha Vision America	Wisenet Viewer	*[.]wisenet-viewer[.]com	172.67.130.129, 104.21.3.85
ManageEngine	ADManager Plus	*[.]admanager-plus[.]com	172.67.186.98, 104.21.43.221
Network Optix	Nx Witness	*[.]nx-witness[.]com	104.21.66.91, 172.67.158.84
Network Optix	Nx Witness	*[.]nx-witness[.]org	172.67.191.72, 104.21.20.32
Palo Alto Networks	GlobalProtect	*[.]globalprotect[.]es	167.88.165.182
Palo Alto Networks	GlobalProtect	*[.]globalprotect-download[.]com	167.88.165.182
QNAP	Qfinder Pro	*[.]qfinder-pro[.]com	194.164.74.38
SonicWall	NetExtender	*[.]netextender-client[.]com	172.67.143.42, 104.21.46.238
SonicWall	NetExtender	*[.]netextender-sonicwall[.]com	104.21.19.99, 172.67.185.189
SonicWall	NetExtender	*[.]netextender-sonicwall[.]net	199.59.243.228
SonicWall	NetExtender	*[.]netextender-sonicwall[.]org	147.93.73.92
SonicWall	NetExtender	*[.]netextender-vpn[.]com	172.67.129.217, 104.21.1.189
SonicWall	NetExtender	*[.]sonicwall-netextender[.]com	104.21.75.212, 172.67.182.57
SonicWall	NetExtender	*[.]sonicwall-netextender[.]net	172.67.198.8, 104.21.68.190
SonicWall	NetExtender	*[.]sonicwall-netextender[.]org	104.21.18.117, 172.67.181.204
SonicWall	NetExtender	*[.]sonicwall-netextender[.]nl	144.172.116.169
SonicWall	NetExtender	*[.]sonicwall-netextender[.]de	104.21.54.226, 172.67.143.27
Sophos	Sophos Connect	*[.]sophos-connect[.]com	3.33.130.190, 15.197.148.33
Sophos	Sophos Connect	*[.]sophos-connect[.]org	80.249.132.131
WatchGuard	Mobile VPN with SSL	*[.]firebox-ssl[.]com	80.249.132.131
WatchGuard	Mobile VPN with SSL	*[.]watchguard-vpn[.]com	104.21.78.99, 172.67.220.52
WatchGuard	Mobile VPN with SSL	*[.]watchguard-vpn[.]net	74.208.236.39
WatchGuard	Mobile VPN with SSL	*[.]watchguard-vpn[.]org	80.249.132.131

C2s

Domain	IP Addresses
house-connection[.]pro	82.29.157.171
myfiles2[.]download	172.67.175.165, 104.21.72.52
5913261[.]cc	54.215.31.113
postgresql-download[.]com	172.67.206.108, 104.21.85.137
myconnection[.]pro	82.29.157.171
vpn-connection[.]pro	82.29.157.171

 

Hashes (MD5)

Targeted Product	Hash	File Type
Spoofed Sophos Connect	85b0472aa928d61fc338b99832bd1fbd	ZIP
Spoofed Sophos Connect	ec6212c853cbbdc02b5158b4fb3548fb	EXE
Spoofed WatchGuard VPN	53b461a0eb4a18d76ad7e687a71d3334	ZIP
Spoofed WatchGuard VPN	9f0126592145772a25c5b5c00469414d	EXE
F5 BIG-IP Steering Script	7b9da837d7caaca24d7a3a496f8e606b	JS
FortiClient Steering Script	16d3caab742f610d54030f7112757187	JS
SonicWall Popup Script	24bbd9a0732172730d5653eab213c082	JS

Repositories

github.com/big-ip-client

github.com/vpn-fortinet

github.com/wg-vpn

Malicious Code Signing Certificate Information

Name	Taiyuan Lihua Near Information Technology Co., Ltd.
Status	Valid
Issuer	Certum Extended Validation Code Signing 2021 CA
Valid From	10:45 AM 12/11/2025
Valid To	10:45 AM 12/11/2026
Valid Usage	Code Signing
Algorithm	sha256RSA
Thumbprint	731B7470AA8F16ADBDEF712A01C2FCBCA5A1D554
Serial Number	77 3D D2 F9 AD AC 8E 55 2D 11 AD 73 7D 17 F7 72

References

https://cybersecuritynews.com/fake-fortinet-sites/
https://cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign
https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/
https://x.com/g0njxa/status/2009596938815942858
https://zscaler.com/blogs/security-research/spoofed-ivanti-vpn-client-sites