New SEO Poisoning Campaign Targeting IT Admins With Malware

Varonis reveals attackers are using SEO poisoning to trick IT admins into downloading malware, alongside a critical root access vulnerability in Azure’s AZNFS-mount utility affecting HPC/AI workloads. Update Azure immediately.

Cybersecurity researchers at Varonis have issued warnings on two distinct but significant threats targeting IT administrators and cloud infrastructure. Emerging within the last two months, as noted by Varonis in a blog post published on 2 May 2025, a growing trend of attackers using SEO poisoning to trick administrators into downloading malware disguised as legitimate tools is observed.

Separately, on May 6th, the company’s Threat Labs reported a critical vulnerability in a preinstalled Azure utility that could allow unprivileged users to gain full root access to cloud systems.

The SEO poisoning campaign involves cybercriminals manipulating search engine rankings to place malicious websites at the top of results for common IT administration tools. Unsuspecting admins, believing they are downloading genuine software, instead install malware that can lead to the installation of backdoors like SMOKEDHAM, enabling persistent access for attackers.

Varonis MDR Forensics team members Tom Barnea and Simon Biggs highlighted cases where this technique led to the deployment of monitoring software like a renamed version of Kickidler (grabber.exe), allowing attackers to secretly observe infected machines and steal credentials.

This initial access often paves the way for data exfiltration, as seen in one instance where the attackers successfully transferred nearly a terabyte of data out of the network, followed by the encryption of critical systems like the customer’s ESXi devices for ransom.

In a separate but equally concerning discovery, Varonis Threat Labs, led by researcher Tal Peleg, identified a critical flaw in the AZNFS-mount utility, a tool preinstalled on Azure High-Performance Computing (HPC) and Artificial Intelligence (AI) images. This vulnerability, affecting all versions up to 2.0.10, could allow an ordinary user to escalate their privileges to root on a Linux machine.

As per Veronis’ research, shared with Hackread.com, the flaw exists in the “mount.aznfs” binary, which, due to incorrect permissions, could be exploited to execute arbitrary commands with the highest system privileges. By manipulating a specific environment variable, attackers could effectively take complete control of the affected Azure systems.

Varonis Threat Labs responsibly disclosed this vulnerability to Microsoft Azure, which classified it as low severity. However, the potential impact of gaining root access to cloud infrastructure is significant, as it may allow attackers to mount additional storage, install malware, and move laterally within cloud environments. Microsoft has since released a fix in version 2.0.11 of the AZNFS-mount utility.

Still, these findings show cybercriminals are constantly improving their tactics for targeting critical IT infrastructure more effectively. The SEO poisoning campaign highlights the need for better awareness among IT professionals when downloading tools from online searches, even those appearing highly ranked. The Azure utility vulnerability emphasizes the importance of timely patching and careful configuration of cloud resources.

Varonis advises organizations to implement a “Defense in Depth” strategy, including employee training, endpoint security, network segmentation, and strict access controls, to mitigate these growing threats. Azure customers utilizing HPC images or NFS for Azure Storage are advised to update their AZNFS-mount utility immediately.