Cybercriminals are putting a modern spin on traditional phishing. They are now targeting Google Search results to distribute malware disguised as legitimate VPN software. Palo Alto Networks’ Unit 42 recently uncovered this malicious campaign in June 2024, in which threat actors are spoofing GlobalProtect VPN, a well-known security product.
These hackers are leveraging SEO poisoning, a technique that manipulates search engine results so that malicious sites appear at the top. By purchasing ads or boosting page rankings, they trick users into visiting counterfeit websites that mimic Palo Alto’s GlobalProtect. Unsuspecting victims download what they believe to be the VPN software, but instead, they receive a malware loader known as WikiLoader.
WikiLoader is no ordinary malware. It can stealthily download additional payloads, steal sensitive information, and provide attackers with remote access to compromised systems. The loader is a “tool-for-hire,” available to other criminals since late 2022, and has recently been upgraded with more sophisticated evasion techniques.
For example, after the fake software is installed, users might see a fake error message about a missing DLL, while in reality, the malware is already at work. The compromised software can even turn off security measures by mimicking trusted applications, making it harder to detect.
This shift from phishing to SEO poisoning is particularly concerning because it broadens the range of potential victims. Organizations in the U.S. education and transportation sectors have already been affected.
If only one does not click sponsored links and is always certain of the legitimacy of the website from which they download software, the said individual will be safe. Of course, as always, it is necessary to increase defenses permanently against these evolving threats.
