Ongoing Widespread Credential Harvesting Campaign Targets VPN Providers

This report documents an active, widespread SEO‑poisoning campaign that spins up doppelganger domains for numerous VPN and remote‑access products to serve trojanized installers which capture credentials and transmit them to attacker C2 infrastructure; the report includes IoCs (domains, IPs, hashes, GitHub repos), packet captures, and a malicious code‑signing certificate, and warns the credentials may be used by ransomware affiliates while recommending mitigations such as MFA and obtaining installers directly from vendor sites.