An unknown threat actor distributed a troilerized version of the SSL VPN Netextender application on SonicWall and stole credentials from unsuspecting users who may have installed it.
“NetExtender allows remote users to securely connect and run applications on their company network,” said Sravan Ganachari, a researcher at SonicWall. “Users can upload and download files, access network drives, and use other resources as if they were on a local network.”
The malicious payload delivered via the Rogue VPN software was called Silentroute by Microsoft and along with the network security company detected the campaign.
Sonicwall has been found to be malware-handed with Netextender, which impersonates the latest version of the software (10.3.2.27), and is then distributed via fake websites that have been removed. The installer is digitally signed by Citylight Media Private Limited. ”
This suggests that the campaign is targeting users searching for NetExtender on search engines like Google and Bing, and that they are installing via spoofed sites propagated through known technologies such as spear phishing, search engine optimization (SEO) addiction, fraud, and social media posting.
Two different components of the installer have been modified to facilitate the removal of configuration information to the remote server under attacker’s control.
These include “neservice.exe” and “netextender.exe” which were modified to bypass digital certificate validation.[.]163 on port 8080.
“The threat actor added code to the installed binary of fake netextender so that information related to the VPN configuration was stolen and sent to the remote server,” Ganachari said.
“When VPN configuration details are entered and the ‘Connect’ button is clicked, the malicious code will perform its own validation before sending data to the remote server. Stolen configuration information includes username, password, domain, and more. ”
Threat actors abuse Connectwise Authenticode Signatures
Development occurs when G Data details a threat activity cluster called Divilsconwi.
The German cybersecurity company said it used the technique to observe a surge in attacks since March 2025. Infection Strains primarily utilize phishing emails as early access vectors or through fake sites that are being promoted on Facebook as artificial intelligence (AI) tools.
These email messages contain a OneDrive link that uses the View PDF button to redirect recipients to the Canva page. This will download and run the Connectwise installer secret.
The attack works by embedding malicious configurations in unauthenticated attributes within Authenticode Signature, providing a fake Windows update screen, preventing users from shutting down the system, and including information about external URLs that establish a remote connection for persistent access.
What’s noteworthy about Evilconwi is that it can provide malicious actors with cover for malicious operations by doing it using reliable, legal, and possibly high system or software processes, and thereby fly under the radar.
“By changing these settings, the threat actor creates his own remote access malware that pretends to be another software, like an AI-to-image converter with Google Chrome,” said security researcher Karsten Hahn. “They generally also add fake Windows update images and messages, so users don’t turn off the system and threat actors connect remotely to them.”
Source link
