Storm-2561 Campaign Targets Users with Fake VPN Sites
Basically, hackers are tricking people into downloading fake VPN software to steal their login information.
Storm-2561 is tricking users into downloading fake VPN software. This affects anyone searching for trusted VPN clients. The risk includes stolen corporate credentials and potential data breaches. Stay vigilant and verify software sources.
The Threat
In a sophisticated credential-theft campaign, the threat group Storm-2561 is using SEO-poisoned? search results to lure unsuspecting users to fake VPN sites. These sites impersonate well-known software from companies like Ivanti, Cisco, and Fortinet. The attackers have been active since May 2025, and their tactics involve redirecting users searching for legitimate VPN clients to malicious sites that host trojanized installers?.
The campaign was uncovered by Microsoft Defender Experts in mid-January 2026. Users searching for terms like "Pulse Secure client" are redirected to convincing spoofed websites. Instead of downloading genuine software, victims end up with malware disguised as a VPN client, leading to the theft of sensitive corporate login credentials.
Who's Behind It
The Storm-2561 group is known for mimicking trusted software vendors to gain user trust. By digitally signing their malicious files with a legitimate certificate from Taiyuan Lihua Near Information Technology Co., Ltd., they evade detection. However, this certificate has since been revoked, indicating that their methods are under scrutiny.
Once users download the malware, it installs itself in a directory that resembles a real VPN installation path. This clever tactic helps the malware blend in, making it harder for users to detect any foul play. The attackers have also implemented a post-theft redirection strategy, which makes the malware appear as a technical glitch rather than an attack.
Tactics & Techniques
The malware utilized in this campaign includes the Hyrax infostealer, which is designed to harvest VPN credentials and exfiltrate them to servers controlled by the attackers. After the installation, the malware establishes persistence on the victim's device by adding itself to the Windows RunOnce registry key. This ensures that the malware runs every time the device is rebooted.
Victims are misled into thinking they have successfully installed the legitimate VPN client. After submitting their credentials, they receive a fake error message, prompting them to download the actual VPN client, which further obscures the attack. This tactic not only helps in credential theft? but also prevents users from realizing they have been compromised.
Defensive Measures
To protect against such credential theft? campaigns, organizations must remain vigilant. Microsoft has provided indicators of compromise (IoCs) to help identify potential breaches linked to this campaign. Users should be cautious when downloading software, especially from search results, and verify the authenticity of the sites they visit.
Implementing multi-factor authentication (MFA) can significantly reduce the risks associated with credential theft?. Additionally, educating employees about the dangers of phishing and spoofing can help in recognizing and avoiding these malicious tactics. Regularly updating security protocols and software can also mitigate the risk of falling victim to such sophisticated attacks.
Security Affairs