Storm-2561 SEO Poisoning Campaign Distributing Fake VPN Clients
Microsoft disclosed that threat actor Storm-2561 used SEO poisoning to lure users searching for legitimate enterprise VPN software to attacker-controlled sites hosting malicious ZIP archives. The campaign delivered digitally signed trojans masquerading as trusted VPN clients, with payloads designed to steal VPN credentials; Microsoft said the GitHub repositories used to host the ZIP files were removed and the abused signing certificate was revoked. The activity was identified in mid-January 2026, and Microsoft linked it to a broader Storm-2561 pattern of impersonating well-known software vendors and abusing trusted platforms to improve legitimacy and evade suspicion.
The reporting is not fluff because it contains a specific threat campaign, attribution, delivery chain, and defensive implications. A broader weekly bulletin also referenced the same fake VPN client / credential theft activity as one item among several security developments, making it relevant but less detailed. A separate newsletter on detection engineering maturity and product promotion is unrelated to the Storm-2561 intrusion set and should be excluded from the incident summary.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes Storm-2561 attribution and IOCs
Microsoft publicly attributed the fake VPN campaign to Storm-2561 and released technical details, mitigations, detections, hunting guidance, and indicators of compromise including hashes, domains, and C2 information.
Malicious signing certificate is revoked and GitHub payloads removed
The campaign's binaries were signed with a legitimate certificate tied to 'Taiyuan Lihua Near Information Technology Co., Ltd.'; Microsoft said the certificate has since been revoked and the GitHub repositories hosting the payloads were taken down.
Trojanized VPN installers steal credentials and VPN configs
The fake VPN packages dropped a Pulse Secure-like application and side-loaded malicious DLLs, including a Hyrax variant that captured and exfiltrated VPN credentials and configuration data before redirecting users to the legitimate VPN client.
Microsoft identifies Storm-2561 fake VPN credential-theft campaign
In mid-January 2026, Microsoft Defender Experts identified a campaign in which victims were lured via SEO poisoning to spoofed enterprise VPN download sites and attacker-controlled GitHub releases hosting trojanized installers.
Storm-2561 begins activity impersonating software vendors
Microsoft said the financially motivated threat actor Storm-2561 has been active since May 2025, using search-result impersonation of popular software vendors as part of its operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack & More
thehackernews.com
Open sourceStorm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft | Microsoft Security Blog
microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Storm-2561 SEO Poisoning Campaign Distributes Trojanized VPN Clients
**Microsoft disclosed an active credential-theft campaign by Storm-2561** that uses **SEO poisoning** and vendor impersonation to lure users searching for enterprise VPN software to attacker-controlled sites. Victims looking for products such as **Ivanti Pulse Secure, Cisco, Fortinet, Check Point, SonicWall, Sophos,** and **WatchGuard** are redirected to fake download pages and GitHub-hosted ZIP or MSI installers that appear legitimate. The trojanized installers are **digitally signed**, abuse **DLL sideloading**, and present fake VPN login prompts to capture usernames and passwords, which are then exfiltrated to attacker-controlled infrastructure.
Mar 21, 2026
SEO Poisoning and Fake Software Downloads Used to Deliver Credential Theft and RAT Malware
Threat actors are using **software impersonation** and **SEO poisoning** to push victims toward fake download sites for trusted enterprise and IT tools, then delivering malware through trojanized installers. In one campaign, **Storm-2561** used spoofed VPN vendor pages for products such as **Pulse Secure, Fortinet, and Ivanti** to steal enterprise VPN credentials. The malicious packages were hosted on GitHub, signed with a certificate issued to **"Taiyuan Lihua Near Information Technology Co., Ltd."**, and designed to show an error before redirecting victims to the legitimate vendor site, reducing suspicion while exfiltrating credentials. A separate but closely related campaign used fake **FileZilla** download pages to distribute a **Remote Access Trojan** through multi-stage loaders and **DLL sideloading**. Attackers bundled legitimate FileZilla software with a malicious `version.dll`, or dropped the DLL during installation so the malware would execute while the expected application appeared to install normally. Both reports describe the same broader intrusion pattern: adversaries abusing trusted brands, realistic lookalike websites, and legitimate software packaging to compromise users who believe they are downloading authentic tools. A separate **Warlock** intrusion analysis describing web shells, lateral movement, tunneling, and ransomware activity is a different incident and does not match this malware-delivery story.
Apr 26, 2026
Storm-0249 Uses EDR Abuse and ClickFix for Stealthy Ransomware Deployment
Storm-0249, an initial access broker previously known for selling access to compromised networks, has adopted advanced techniques to facilitate ransomware attacks. The group now leverages social engineering tactics such as ClickFix, which tricks users into executing malicious commands via the Windows Run dialog. These commands use legitimate utilities like `curl.exe` to download and execute fileless PowerShell scripts from spoofed Microsoft domains, ultimately deploying malicious MSI packages with SYSTEM privileges. The attack chain includes DLL sideloading, where a trojanized DLL is placed alongside legitimate EDR components (notably SentinelOne's `SentinelAgentWorker.exe`), allowing the attacker's code to run within trusted processes and evade detection. Once persistence is established, Storm-0249 abuses EDR tools to collect system information and maintain stealthy access, making detection and remediation challenging for defenders. This evolution in Storm-0249's tactics demonstrates a shift from mass phishing to highly targeted, stealthy operations that exploit trusted security software for malicious purposes. The abuse of EDR solutions not only enables the bypassing of traditional security controls but also provides a reliable foothold for ransomware deployment. Security researchers recommend implementing robust email filtering, monitoring for unusual use of legitimate utilities, and updating detection rules to identify these advanced techniques. Organizations are urged to review their EDR configurations and monitor for signs of DLL sideloading and unauthorized PowerShell activity to mitigate the risk posed by this threat actor.
Mar 21, 2026