Malware - Attackers Use SEO Poisoning to Steal VPN Credentials

What Happened

Since May 2025, a financially motivated threat actor known as Storm-2561 has been running a sophisticated credential theft campaign. This group manipulates search engine optimization (SEO) to push fake VPN software to the top of search results, targeting enterprise users. Employees searching for legitimate tools like Pulse Secure, Fortinet, and Ivanti are redirected to spoofed websites that serve malicious download packages.

Once a victim installs the fake software, it silently collects their VPN credentials and sends them to servers controlled by the attackers. The campaign exploits common search queries such as "Pulse VPN download" to lure users into a trap, making it hard for them to suspect any foul play. The attackers have cleverly designed their fake sites to resemble legitimate VPN vendor portals, complete with matching logos and download buttons.

Who's Being Targeted

The primary targets of this attack are employees within enterprises that rely on VPN access for remote operations. As these individuals search for VPN tools, they unwittingly fall victim to the attackers' schemes. The campaign's impact is broad, affecting various industries and regions, as it imitates multiple trusted VPN brands, expanding the potential victim pool significantly.

The attackers utilize GitHub repositories to host their malicious ZIP files, which have since been removed. The malware is disguised as a legitimate installer, making it easier for unsuspecting users to download it without raising any suspicions.

Signs of Infection

Victims of this attack may not notice any immediate signs of infection. After installing the fake VPN client, they might see a convincing error message, which then directs them to download the legitimate VPN software from the official vendor website. This deceptive tactic leaves victims unaware that their credentials have already been compromised.

The malware, once installed, creates a Windows Installer (MSI) package that drops malicious files on the victim's system. It utilizes a digital signature from a revoked certificate to bypass standard security warnings, making detection even more challenging. The trojans are designed to run automatically on device restart, ensuring persistence in the system.

How to Protect Yourself

To mitigate the risks associated with this threat, users should only download software directly from official vendor websites. Avoid clicking on links from search results, as they may lead to malicious sites. Implementing multi-factor authentication (MFA) on all accounts is crucial, as it adds an extra layer of security that can prevent unauthorized access even if credentials are stolen.

Organizations should employ endpoint detection and response tools in block mode, enable network and web protection, and apply attack surface reduction rules to block untrusted executables. Additionally, employees should refrain from storing enterprise credentials in browsers and security teams should investigate any files signed by unrecognized or recently revoked certificate authorities.