Attackers are exploiting SEO poisoning techniques to trick enterprise users into downloading malicious VPN software, leading to the theft of sensitive credentials. A threat actor known as Storm-2561 has been actively running this campaign since May 2025, targeting employees seeking legitimate remote access tools like Pulse Secure, Fortinet, and Ivanti. The operation redirects unsuspecting users to counterfeit websites that deliver malware disguised as trusted VPN clients, a sophisticated method to steal important VPN credentials.
Microsoft Defender Experts identified the campaign in mid-January 2026, attributing it to Storm-2561. This group has a documented history of financially motivated cybercrime, with a pattern of malware distribution that includes abusing search engine rankings and impersonating legitimate software. The attackers meticulously craft spoofed websites that mirror official vendor portals, complete with identical logos and download buttons. Malicious ZIP files containing the fake installers were hosted on GitHub repositories, which have since been removed by the platform.
The Sophisticated Infection Mechanism and Its Evasion Tactics
The stolen VPN credentials are being exfiltrated to attacker-controlled servers without any visible alerts to the victim. A key element of this campaign’s success is its post-infection strategy. After harvesting credentials, the fake VPN client displays a convincing error message. It then prompts the user to download the legitimate VPN software from the official vendor’s website. Once the legitimate client is installed and connects without issue, the victim has no reason to suspect their credentials have already been compromised, leaving them unaware of the breach.
The infection process begins with a Windows Installer (MSI) package, concealed within a ZIP file. When a victim executes the fake MSI, such as one disguised as a Pulse Secure installer, it deploys Pulse.exe alongside two malicious DLL files, dwmapi.dll and inspector.dll. These components are installed under the %CommonFiles%Pulse Secure directory, an attempt to mimic a legitimate installation path closely. This allows the malware to operate stealthily within the user’s system.
The dwmapi.dll file acts as an in-memory loader, executing shellcode that subsequently loads inspector.dll. This latter DLL is a variant of the Hyrax infostealer, a known type of malware designed for credential theft. Hyrax captures VPN credentials entered via the fake login screen and also accesses stored configuration data from a specific file path, C:ProgramDataPulse SecureConnectionStoreconnectionstore.dat. All harvested data is then transmitted to the IP address 194.76.226[.]93 on port 8080.
To ensure persistence on the compromised system, the malware adds Pulse.exe to the Windows RunOnce registry key. This ensures that the malicious executable automatically runs with every device restart, maintaining its presence and ability to steal further information.
Digital Signatures as a Deception Tactic
A critical aspect of Storm-2561’s operation involves the use of digitally signed malicious files. These files were signed with a certificate issued to “Taiyuan Lihua Near Information Technology Co., Ltd.” This digital signature provided a layer of legitimacy, significantly reducing the likelihood of standard Windows security warnings appearing and helping to bypass certain application allowlisting policies. This tactic is crucial for evading initial detection mechanisms that rely on code integrity checks.
Microsoft’s investigation uncovered additional malicious files bearing the same certificate. These included fake installers for other VPN solutions like GlobalProtect VPN and Sophos Connect, indicating that the campaign is not limited to a single impersonated brand but rather targets a broad spectrum of enterprise users reliant on various VPN services. The use of a seemingly legitimate certificate suggests a deliberate effort to gain trust and increase the campaign’s reach across diverse organizations.
Broader Implications and Mitigation Strategies
The use of SEO poisoning and signed trojans poses a significant threat to enterprise organizations that depend on VPN access for remote operations. Stolen VPN credentials can grant attackers access to sensitive corporate networks, enabling lateral movement, unauthorized data exfiltration, and the execution of more destructive follow-on attacks. The wide range of VPN brands impersonated by this campaign means the potential victim pool spans numerous industries and geographical regions.
The certificate used to sign these malicious files has since been revoked. However, the continued evolution of such threats necessitates robust security measures. To mitigate the risks associated with this threat, users should exclusively download software directly from official vendor websites and refrain from using download links found through general search results. The implementation of multi-factor authentication (MFA) on all accounts is paramount, as compromised VPN passwords alone are rendered ineffective when MFA is enforced.
Organizations are advised to deploy endpoint detection and response (EDR) tools configured to operate in block mode. Enabling both network and web protection, alongside applying attack surface reduction rules to block untrusted executables, can further bolster defenses. Employees should be trained not to store enterprise credentials within web browsers, and security teams should maintain vigilance, investigating any files signed by unrecognized or recently revoked certificate authorities. The ongoing threat landscape demands continuous monitoring and adaptation of security protocols to stay ahead of financially motivated cybercriminal groups like Storm-2561.