Storm-2561 SEO Poisoning Campaign Distributes Trojanized VPN Clients
Microsoft disclosed an active credential-theft campaign by Storm-2561 that uses SEO poisoning and vendor impersonation to lure users searching for enterprise VPN software to attacker-controlled sites. Victims looking for products such as Ivanti Pulse Secure, Cisco, Fortinet, Check Point, SonicWall, Sophos, and WatchGuard are redirected to fake download pages and GitHub-hosted ZIP or MSI installers that appear legitimate. The trojanized installers are digitally signed, abuse DLL sideloading, and present fake VPN login prompts to capture usernames and passwords, which are then exfiltrated to attacker-controlled infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft publicly discloses Storm-2561 fake VPN campaign
Microsoft publicly disclosed the credential-theft campaign, attributing it to Storm-2561 and detailing its use of SEO poisoning, spoofed VPN brands, and trojanized installers to steal enterprise credentials. The disclosure also included defensive guidance such as enforcing MFA and avoiding storage of workplace credentials in browsers or personal password vaults.
Microsoft disrupts Storm-2561 infrastructure and abused certificate
Microsoft said it took down the malicious GitHub repositories used in the campaign and revoked the certificate abused to sign the trojanized installers. The certificate was identified as belonging to Taiyuan Lihua Near Information Technology Co., Ltd.
Trojanized signed VPN installers deploy credential-stealing malware
The fake VPN installers were digitally signed and used DLL sideloading to install a Hyrax information stealer variant, establish persistence via the Windows RunOnce key, and present fake sign-in prompts to harvest VPN usernames and passwords. The malware then exfiltrated stolen credentials to attacker-controlled infrastructure while trying to appear legitimate.
Storm-2561 begins SEO-poisoning VPN credential theft campaign
In mid-January 2026, Storm-2561 was observed redirecting users searching for enterprise VPN software through SEO-poisoned results to spoofed websites and malicious ZIP or MSI installer files. The campaign impersonated major VPN vendors including Check Point, Cisco, Fortinet, Ivanti, SonicWall, Sophos, and WatchGuard.
Storm-2561 activity linked to broader fake software campaigns
Microsoft said the VPN credential-theft operation fits a broader pattern of Storm-2561 activity documented since May 2025, including earlier campaigns involving fake software sites and trojanized installers reported by other researchers. This establishes the group's longer-running use of spoofed software distribution to target users.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Storm-2561 SEO Poisoning Campaign Distributing Fake VPN Clients
**Microsoft** disclosed that threat actor **Storm-2561** used **SEO poisoning** to lure users searching for legitimate enterprise VPN software to attacker-controlled sites hosting malicious ZIP archives. The campaign delivered digitally signed trojans masquerading as trusted VPN clients, with payloads designed to steal VPN credentials; Microsoft said the GitHub repositories used to host the ZIP files were removed and the abused signing certificate was revoked. The activity was identified in mid-January 2026, and Microsoft linked it to a broader Storm-2561 pattern of impersonating well-known software vendors and abusing trusted platforms to improve legitimacy and evade suspicion. The reporting is **not fluff** because it contains a specific threat campaign, attribution, delivery chain, and defensive implications. A broader weekly bulletin also referenced the same **fake VPN client / credential theft** activity as one item among several security developments, making it relevant but less detailed. A separate newsletter on detection engineering maturity and product promotion is unrelated to the Storm-2561 intrusion set and should be excluded from the incident summary.
Mar 21, 2026
SEO Poisoning and Fake Software Downloads Used to Deliver Credential Theft and RAT Malware
Threat actors are using **software impersonation** and **SEO poisoning** to push victims toward fake download sites for trusted enterprise and IT tools, then delivering malware through trojanized installers. In one campaign, **Storm-2561** used spoofed VPN vendor pages for products such as **Pulse Secure, Fortinet, and Ivanti** to steal enterprise VPN credentials. The malicious packages were hosted on GitHub, signed with a certificate issued to **"Taiyuan Lihua Near Information Technology Co., Ltd."**, and designed to show an error before redirecting victims to the legitimate vendor site, reducing suspicion while exfiltrating credentials. A separate but closely related campaign used fake **FileZilla** download pages to distribute a **Remote Access Trojan** through multi-stage loaders and **DLL sideloading**. Attackers bundled legitimate FileZilla software with a malicious `version.dll`, or dropped the DLL during installation so the malware would execute while the expected application appeared to install normally. Both reports describe the same broader intrusion pattern: adversaries abusing trusted brands, realistic lookalike websites, and legitimate software packaging to compromise users who believe they are downloading authentic tools. A separate **Warlock** intrusion analysis describing web shells, lateral movement, tunneling, and ransomware activity is a different incident and does not match this malware-delivery story.
Apr 26, 2026
Storm-0249 Uses EDR Abuse and ClickFix for Stealthy Ransomware Deployment
Storm-0249, an initial access broker previously known for selling access to compromised networks, has adopted advanced techniques to facilitate ransomware attacks. The group now leverages social engineering tactics such as ClickFix, which tricks users into executing malicious commands via the Windows Run dialog. These commands use legitimate utilities like `curl.exe` to download and execute fileless PowerShell scripts from spoofed Microsoft domains, ultimately deploying malicious MSI packages with SYSTEM privileges. The attack chain includes DLL sideloading, where a trojanized DLL is placed alongside legitimate EDR components (notably SentinelOne's `SentinelAgentWorker.exe`), allowing the attacker's code to run within trusted processes and evade detection. Once persistence is established, Storm-0249 abuses EDR tools to collect system information and maintain stealthy access, making detection and remediation challenging for defenders. This evolution in Storm-0249's tactics demonstrates a shift from mass phishing to highly targeted, stealthy operations that exploit trusted security software for malicious purposes. The abuse of EDR solutions not only enables the bypassing of traditional security controls but also provides a reliable foothold for ransomware deployment. Security researchers recommend implementing robust email filtering, monitoring for unusual use of legitimate utilities, and updating detection rules to identify these advanced techniques. Organizations are urged to review their EDR configurations and monitor for signs of DLL sideloading and unauthorized PowerShell activity to mitigate the risk posed by this threat actor.
Mar 21, 2026