Ongoing Widespread Credential Harvesting Campaign Targets VPN Providers
Introduction
At the turn of the year, we were alerted to a doppelganger domain impersonating WatchGuard’s Mobile VPN with SSL, delivering a malicious spoofed client to steal credentials. Navigating directly to the doppelganger domain resulted in a benign informational WatchGuard VPN page. However, when navigating to the page from a search engine, it redirected the user to what appears to be an official WatchGuard download page for Mobile VPN with SSL software. When clicking download, a ZIP folder from a GitHub account is served. The resulting client sends credentials to a C2 server with no other malware observed.
The methodologies were eerily similar to those in a recent ZScalar blog post showing an SEO poisoning campaign targeting Ivanti’s Pulse Secure VPN Client. Albeit the resulting client was a bit more complex than the WatchGuard-spoofed client. Still the same result: credential theft. That research led to similar reporting from The DFIR Report, where the attackers used SEO poisoning to deliver a trojanized ManageEngine OpManager client with Bumblebee malware, ultimately leading to Akira ransomware. A Cyjax report echoed much of the same, but involving a few more vendors. Then, as research was ongoing, Cyber Security News published a report targeting Fortinet’s FortiClient that mirrored what we just observed. It was obvious that these weren’t just one-off efforts but a sustained, concerted credential campaign, likely from the same threat actor.
Based on the aforementioned reporting, it’s likely this is a ransomware affiliate using these credentials to gain a foothold in networks with the intent to deploy ransomware, such as Akira. Using the IoCs from those reports, combined with the WatchGuard VPN spoofed client infrastructure, we were able to identify doppelganger domains for various other VPN providers that lack fully implemented backend logic, meaning this threat actor is sitting on domains to continue these attacks in the weeks and months ahead. We were able to find infrastructure targeting the following vendors and products:
- Check Point Remote Access VPN
- Cisco AnyConnect Secure Client
- Citrix Secure Access
- F5 BIG-IP
- Fortinet FortiClient VPN
- Ivanti Secure Access Client
- OpenConnect VPN
- Hanwha Vision America Wisenet Viewer
- ManageEngine ADManager Plus
- Network Optix Nx Witness
- Palo Alto Networks GlobalProtect
- QNAP Qfinder Pro
- SonicWall NetExtender
- Sophos Connect
- WatchGuard Mobile VPN with SSL & Firebox VPN with SSL
Currently, the threat actor has the infrastructure in place for five of these vendors and are/were actively stealing credentials:
- WatchGuard Mobile VPN with SSL
- F5 BIG-IP
- Fortinet FortiClient VPN
- SonicWall NetExtender
- Sophos Connect
The purpose of this blog is to append prior research on the breadth of this campaign and some of the nuances between them, and, more importantly, to provide IoCs of their infrastructure to thwart these attacks before they begin.
WatchGuard
When searching for “watchguard vpn” in Bing, Copilot produces one of the doppelganger websites: watchguard-vpn[.]net. At the time of research, there was no backend logic to direct users to the spoofed downloads page.
We were also able to reproduce it using Google, but a malicious domain took a while to find naturally, which is a good thing.
Navigating to one of these domains, such as watchguard-vpn[.]com, one of the two domains hosting the malicious WatchGuard applications, reveals a seemingly simple downloads page. However, there are no external links or mechanisms to download software unless you’re on the /download.html path.
The other domain hosting a malicious credential-stealing application is firebox-ssl[.]com. They both host the application on the /download.html path. The download webpage is navigable if you enter the full URL directly; if you come from any of the specified search engines, it will be redirected to the downloads page.
The fake downloads page mirrors the official WatchGuard page, with the only difference being the download link for the malicious ZIP hosted on GitHub (MD5: 53b461a0eb4a18d76ad7e687a71d3334). The ZIP folder’s location is visible when hovering over the Windows download link.
The repository was created on December 25, 2025, and contains only a ZIP file
The ZIP contains a .NET executable (MD5: 9f0126592145772a25c5b5c00469414d).
The executable is signed with an unknown digital signature from Taiyuan Lihua Near Information Technology Co., Ltd.
Comparing the legitimate VPN client with the fake one reveals it’s an exact clone. Although the genuine software is not a .NET executable.
Entering arbitrary information and clicking Connect results in an error window for an unsupported version. However, on the back end, that information was sent to the attacker’s C2 server, a common tactic where attackers use decoy error prompts to trick the user into thinking nothing malicious occurred.
Inspecting the code reveals the C2 domain within the CheckServer function.
This is confirmed on a packet capture.
Using VirusTotal and searching for files that share the same code-signing certificate yields results similar to ZScalar’s reporting.
The spoofed Ivanti files, signed with a different malicious signing certificate, produced very similar executables, furthering the assumption that this is the same threat actor(s).
Based on the related files, infrastructure, and behaviors, it’s evident that this is likely the same threat actor(s) casting a wide net to spoof VPN providers. Only this time, it affects WatchGuard, as well as many others, which you’ll find in the rest of the report. The main premise of this campaign is to steal VPN credentials to gain access to networks in furtherance of what is likely data exfiltration and/or ransomware, and this assumption is based on prior research, not direct evidence. After researching the WatchGuard portion and finding related reports, we investigated other similar-looking domains. For example, here is one targeting F5’s BIG-IP client.
F5
After navigating to these domains, it was clear this was the same campaign, and one of them was a GitHub Pages domain (big-ip-client[.]github[.]io). This means there’s also a GitHub repository behind this page containing what we thought was another spoofed executable. However, the repository told a different story.
The repository began around the same time as the WatchGuard one – late December 2025. The code only contained the HTML, CSS, and JS required for the doppelganger pages.
However, there existed a JS file (script.js) (MD5: 7b9da837d7caaca24d7a3a496f8e606b) that stood out.
Alas, this is the script that steers users from search engines. The script does the following:
- Defines the redirect URL
- Defines specific referer headers from:
- Bing
- DuckDuckGo
- Yahoo
- ChatGPT
- Copilot
- Qwant
- Ecosia
- NAVER
- Defines filters for specific operating systems
- Windows only
- Defines filters for specific browsers
- Chrome
- Firefox
- Safari
- Edge
- Opera
Thus, if a user clicks on one of the domains with this script, they will be redirected to the fake download URL if:
- The Referer header is from one of the defined search engines
- is on a Windows machine
- and uses one of the listed browsers
Visiting the redirect URL directly shows another spoofed website. Although there’s no ZIP or executable.
This time, when clicking DOWNLOAD, a modal window appears, and when entering dummy data, another familiar error appears. Naturally, a packet capture was performed to confirm another familiar-looking domain – house-connection[.]pro.
Naturally, a packet capture was performed to confirm another familiar-looking domain – house-connection[.]pro.
So, now we have at least two confirmed credential-harvesting campaigns that look very similar. We looked into a few more.
Fortinet
Yet again, there’s the same-looking landing page, but for Fortinet (FortiClient).
We found some targeting Mac users.
Also, some targeting users from other countries. This one is for French speakers.
We were able to uncover yet another GitHub. This one began in 2023 and is related to Artisan and Giesen, a coffee company. However, it was recently updated in the last few months for this campaign.
Again, no executable, but another script.js (MD5: 16d3caab742f610d54030f7112757187). It is the same as the BIG-IP one, but with a different redirect.
The redirect URL points to yet another spoofed download page, this time for FortiClient 7.4.
Scrolling down and clicking a DOWNLOAD link produces the same-looking modal window.
Throws the same-looking error.
This time it sent credentials directly to myfiles2[.]download. This time, we discovered a counter (attempt). After the first attempt, the link downloads the actual FortiClient client.
SonicWall
Onto SonicWall’s NetExtender. Similar webpage, but targeting MacOS.
The second webpage we found looked very different from the others and had no Download workable link.
A few seconds after navigating to the webpage, an unprovoked modal window appears.
Inserting dummy data throws another error message.
A packet capture confirmed data exfiltration to a C2 server (5913261[.]cc)
Inspecting the page reveals a JS file, called popup.js (MD5: 24bbd9a0732172730d5653eab213c082), that is not present on other vendor pages.
The script contained normal behavior to invoke a modal window, but the bottom of the script told the whole story. The script defines the C2, and a defined variable points to the actual NetExtender client. The script's logic mimics the behavior we saw on the spoofed FortiClient page. The first “download” action sends the credentials to the C2. It then sets “attempt” to 2, so every subsequent click is treated as the second click, downloading the legitimate executable.
The processes are all a bit different, but the end result is the same: to steal credentials on the first attempt, throw a benign error to make it look legitimate, and, in some cases, ensure the user directs a legit installer on subsequent attempts.
Sophos
The final vendor that the threat actors had active at the time of research was Sophos Connect. Searching for “sophos connect client” results in the same SEO poisoning attack as the others.
The resulting webpage.
Although this webpage didn’t yet have the logic to serve the malicious spoofed client, we were able to access the GitHub page where it is hosted via related infrastructure. It was also created in mid-to-late December.
This one did contain a ZIP (MD5: 85b0472aa928d61fc338b99832bd1fbd) and subsequent executable (MD5: ec6212c853cbbdc02b5158b4fb3548fb). The executable, just like the WatchGuard one, directly spoofed the VPN client. Although this one was more like the Ivanti client discussed by ZScalar and was not a simple .NET application akin to the WatchGuard one.
Side-by-side comparison of the real and fake clients.
Throwing some dummy data in the client and attempting to log in shows the C2: postgresql-download/Server.
Packet capture for confirmation.
Other Spoofed Webpages
We found a slew of doppelganger domains containing spoofed webpages from a bunch of other VPN providers. These domains are listed in the IoCs table. Most look very similar, as if spun up by an automated tool, while others look like direct clones of their legitimate counterparts.
Other Dissemination Techniques
We also found various forums and embedded iframes containing these references, indicating that SEO poisoning isn’t the only tactic used to trick users. Here’s an example of an embedded iframe on a compromised domain.
And an example of a spam comment to one of these domains.
We found a C2 that was spun up at the very end of research. Not yet connected to one of the spoofed providers.
- vpn-connection[.]pro (82.29.157.171)
Conclusion
To conclude, after we learned of the WatchGuard doppelganger domains and researched them, we discovered infrastructure targeting several other remote access and VPN providers. Most of them were under construction, in the process of being set up for further attacks, or had been taken down. Although we were able to find at least five vendors with active campaigns against them. This list is not exhaustive, and there’s likely more vendors being targeted, as well as other domains like the ones we found. Nonetheless, the endgame is all the same – credential theft.
The threat actor(s) register these domains and employ SEO poisoning, iframe overlays, and forum spam to support these attacks. The threat actor(s) use trusted infrastructure such as GitHub, Google Cloud, and Cloudflare because the IP addresses are usually not blocked. On its face, none of this looks malicious, but that’s the point.
Preventing these attacks as a user begins with awareness. Know what you’re clicking on, even if the results are high on search engine lists. If you ever have a hunch that something nefarious is going on, navigate to the vendors directly and find the appropriate download links. More technical countermeasures include multi-factor authentication (MFA) and a password manager. MFA will prevent unauthorized access even with stolen credentials, and a password manager makes changing those credentials easier and more secure.
Indicators of Compromise (IoCs)
| Targeted Vendor | Targeted Product | Domain | IP Addresses |
|---|---|---|---|
| Check Point | Remote Access VPN Client | *[.]checkpoint-vpn[.]com | 144.172.116.169 |
| Cisco | AnyConnect (Secure Client) | *[.]cisco-anyconnect[.]de | 172.86.123.53 |
| Cisco | AnyConnect (Secure Client) | *[.]cisco-anyconnect[.]fr | 80.249.132.130 |
| Cisco | AnyConnect (Secure Client) | *[.]secure-client[.]org | 172.67.184.205, 104.21.76.10 |
| Citrix | Secure Access Client | *[.]citrix-secure-access[.]com | 172.67.164.121, 104.21.34.199 |
| F5 | BIG-IP Client | *[.]big-ip-client[.]com | 172.67.182.218, 104.21.91.249 |
| F5 | BIG-IP Client | *[.]big-ip-client[.]github[.]io | N/A |
| F5 | BIG-IP Client | *[.]big-ip-client[.]net | 80.249.132.130 |
| Fortinet | FortiClient | *[.]forticlient-download[.]es | 185.42.104.126 |
| Fortinet | FortiClient | *[.]forticlient-for-mac[.]com | 172.67.172.58, 104.21.30.70 |
| Fortinet | FortiClient | *[.]forticlient-vpn[.]fr | 104.21.44.244, 172.67.205.125 |
| Fortinet | FortiClient | *[.]fortinet-vpn[.]com | 144.172.116.169 |
| Fortinet | FortiClient | *[.]vpn-fortinet[.]com | 144.172.116.169 |
| Fortinet | FortiClient | *[.]vpn-fortinet[.]github[.]io | N/A |
| FOSS | OpenConnect VPN | *[.]openconnect-download[.]com | 199.59.243.228 |
| Hanwha Vision America | Wisenet Viewer | *[.]wisenet-viewer[.]com | 172.67.130.129, 104.21.3.85 |
| ManageEngine | ADManager Plus | *[.]admanager-plus[.]com | 172.67.186.98, 104.21.43.221 |
| Network Optix | Nx Witness | *[.]nx-witness[.]com | 104.21.66.91, 172.67.158.84 |
| Network Optix | Nx Witness | *[.]nx-witness[.]org | 172.67.191.72, 104.21.20.32 |
| Palo Alto Networks | GlobalProtect | *[.]globalprotect[.]es | 167.88.165.182 |
| Palo Alto Networks | GlobalProtect | *[.]globalprotect-download[.]com | 167.88.165.182 |
| QNAP | Qfinder Pro | *[.]qfinder-pro[.]com | 194.164.74.38 |
| SonicWall | NetExtender | *[.]netextender-client[.]com | 172.67.143.42, 104.21.46.238 |
| SonicWall | NetExtender | *[.]netextender-sonicwall[.]com | 104.21.19.99, 172.67.185.189 |
| SonicWall | NetExtender | *[.]netextender-sonicwall[.]net | 199.59.243.228 |
| SonicWall | NetExtender | *[.]netextender-sonicwall[.]org | 147.93.73.92 |
| SonicWall | NetExtender | *[.]netextender-vpn[.]com | 172.67.129.217, 104.21.1.189 |
| SonicWall | NetExtender | *[.]sonicwall-netextender[.]com | 104.21.75.212, 172.67.182.57 |
| SonicWall | NetExtender | *[.]sonicwall-netextender[.]net | 172.67.198.8, 104.21.68.190 |
| SonicWall | NetExtender | *[.]sonicwall-netextender[.]org | 104.21.18.117, 172.67.181.204 |
| SonicWall | NetExtender | *[.]sonicwall-netextender[.]nl | 144.172.116.169 |
| SonicWall | NetExtender | *[.]sonicwall-netextender[.]de | 104.21.54.226, 172.67.143.27 |
| Sophos | Sophos Connect | *[.]sophos-connect[.]com | 3.33.130.190, 15.197.148.33 |
| Sophos | Sophos Connect | *[.]sophos-connect[.]org | 80.249.132.131 |
| WatchGuard | Mobile VPN with SSL | *[.]firebox-ssl[.]com | 80.249.132.131 |
| WatchGuard | Mobile VPN with SSL | *[.]watchguard-vpn[.]com | 104.21.78.99, 172.67.220.52 |
| WatchGuard | Mobile VPN with SSL | *[.]watchguard-vpn[.]net | 74.208.236.39 |
| WatchGuard | Mobile VPN with SSL | *[.]watchguard-vpn[.]org | 80.249.132.131 |
C2s
| Domain | IP Addresses |
| house-connection[.]pro | 82.29.157.171 |
| myfiles2[.]download | 172.67.175.165, 104.21.72.52 |
| 5913261[.]cc | 54.215.31.113 |
| postgresql-download[.]com | 172.67.206.108, 104.21.85.137 |
| myconnection[.]pro | 82.29.157.171 |
| vpn-connection[.]pro | 82.29.157.171 |
Hashes (MD5)
| Targeted Product | Hash | File Type |
| Spoofed Sophos Connect | 85b0472aa928d61fc338b99832bd1fbd | ZIP |
| Spoofed Sophos Connect | ec6212c853cbbdc02b5158b4fb3548fb | EXE |
| Spoofed WatchGuard VPN | 53b461a0eb4a18d76ad7e687a71d3334 | ZIP |
| Spoofed WatchGuard VPN | 9f0126592145772a25c5b5c00469414d | EXE |
| F5 BIG-IP Steering Script | 7b9da837d7caaca24d7a3a496f8e606b | JS |
| FortiClient Steering Script | 16d3caab742f610d54030f7112757187 | JS |
| SonicWall Popup Script | 24bbd9a0732172730d5653eab213c082 | JS |
Repositories
| github.com/big-ip-client |
| github.com/vpn-fortinet |
| github.com/wg-vpn |
Malicious Code Signing Certificate Information
| Name | Taiyuan Lihua Near Information Technology Co., Ltd. |
| Status | Valid |
| Issuer | Certum Extended Validation Code Signing 2021 CA |
| Valid From | 10:45 AM 12/11/2025 |
| Valid To | 10:45 AM 12/11/2026 |
| Valid Usage | Code Signing |
| Algorithm | sha256RSA |
| Thumbprint | 731B7470AA8F16ADBDEF712A01C2FCBCA5A1D554 |
| Serial Number | 77 3D D2 F9 AD AC 8E 55 2D 11 AD 73 7D 17 F7 72 |
References
https://cybersecuritynews.com/fake-fortinet-sites/
https://cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign
https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/
https://x.com/g0njxa/status/2009596938815942858
https://zscaler.com/blogs/security-research/spoofed-ivanti-vpn-client-sites
