Threat Actor Storm-2561 Targets VPN Users in Theft Campaign

The Threat

A new threat actor known as Storm-2561 is actively targeting VPN users in a credential theft campaign. This group has been operational since at least May 2025, employing tactics like SEO poisoning to distribute malware. Their latest campaign, which began in mid-January, aims to lure unsuspecting users searching for VPN software into downloading malicious trojans disguised as legitimate applications.

Storm-2561 is particularly adept at impersonating well-known software vendors. By manipulating search engine results, they ensure that victims searching for terms like 'Pulse VPN download' are directed to malicious sites. The trojans they distribute are signed with legitimate digital certificates, making them harder to detect.

Who's Behind It

Storm-2561 has a reputation for using sophisticated methods to exploit user trust. They host malicious payloads on platforms like GitHub, increasing the likelihood of successful infections. The campaign's primary goal is to steal sensitive login information from VPN users, specifically targeting those looking for the Pulse Secure client.

Victims who click on poisoned search results are redirected to a malicious download site. Here, they download a ZIP file containing an MSI installer that sideloads a DLL file, which then deploys a variant of the Hyrax information stealer. This malware collects VPN credentials and exfiltrates them to an attacker-controlled command-and-control (C&C) server.

Tactics & Techniques

The MSI installer and the DLL are signed with a valid certificate from Taiyuan Lihua Near Information Technology Co., Ltd., which has since been revoked. This tactic allows the malware to evade detection by appearing legitimate. Once installed, the fake VPN client mimics the legitimate application, prompting users to enter their credentials.

In a clever twist, after stealing the credentials, the fake software displays an installation error message. It provides instructions on how to download the real Pulse VPN client, misleading users into thinking they encountered a technical issue rather than malware.

Defensive Measures

To protect yourself from this type of attack, it's crucial to be cautious when downloading software, especially from search engine results. Always verify the source and ensure you are downloading from the official website. Additionally, consider using antivirus software that can detect and block malicious downloads.

If you suspect you've been a victim of this campaign, immediately change your VPN credentials and monitor your accounts for any unauthorized access. Staying informed about the latest threats and employing good security hygiene can significantly reduce your risk of falling victim to such attacks.