Cybercriminals have been masquerading as sellers of GlobalProtect, virtual private network (VPN) software from Palo Alto Networks, and delivering a new variant of WikiLoader malware through search engine optimization (SEO) poisoning. WikiLoader, also known as WailingCrab, is a downloader malware first discovered in 2022 by Proofpoint. It’s sold in underground marketplaces by initial access brokers, and hackers typically spread the malware using traditional phishing techniques and compromised WordPress sites. The current campaign was initially discovered by Palo Alto’s Unit 42 Managed Threat Hunting team in June, which found that it involves an SEO poisoning technique that positions attacker-controlled webpages advertising the supposed VPN at the top of search engine results. This broadens the scope of potential victims for the threat actors compared to traditional phishing, according to Unit 42.