SEO Poisoning and Fake Software Downloads Used to Deliver Credential Theft and RAT Malware
Threat actors are using software impersonation and SEO poisoning to push victims toward fake download sites for trusted enterprise and IT tools, then delivering malware through trojanized installers. In one campaign, Storm-2561 used spoofed VPN vendor pages for products such as Pulse Secure, Fortinet, and Ivanti to steal enterprise VPN credentials. The malicious packages were hosted on GitHub, signed with a certificate issued to "Taiyuan Lihua Near Information Technology Co., Ltd.", and designed to show an error before redirecting victims to the legitimate vendor site, reducing suspicion while exfiltrating credentials.
A separate but closely related campaign used fake FileZilla download pages to distribute a Remote Access Trojan through multi-stage loaders and DLL sideloading. Attackers bundled legitimate FileZilla software with a malicious version.dll, or dropped the DLL during installation so the malware would execute while the expected application appeared to install normally. Both reports describe the same broader intrusion pattern: adversaries abusing trusted brands, realistic lookalike websites, and legitimate software packaging to compromise users who believe they are downloading authentic tools. A separate Warlock intrusion analysis describing web shells, lateral movement, tunneling, and ransomware activity is a different incident and does not match this malware-delivery story.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Fake Foxit PDF Reader installer campaign deploys UltraVNC malware
Attackers impersonated Foxit PDF Reader with trojanized installer packages that masqueraded as legitimate software downloads. The fake installer deployed UltraVNC to establish stealthy remote access on compromised systems, reflecting a software-impersonation and social-engineering malware campaign.
Gurucul reports fake TestDisk site installing trojanized ScreenConnect
Gurucul disclosed an SEO-poisoning campaign redirecting users searching for TestDisk to the spoofed domain testdisk[.]dev, where a fake PhotoRec installer delivered a ZIP containing a renamed Microsoft Setup binary that side-loaded a malicious autorun.dll. The multi-stage infection ultimately installed legitimate TestDisk software alongside a trojanized ScreenConnect client for persistent remote access, and the report published related IOCs including domain, URL, IP 193.42.11.108, and a SHA-256 hash.
Forensic analysis links fake Sysinternals tool to infostealer infection
A forensic investigation found that a user downloaded and ran a fake Sysinternals executable from a malicious website, leading to a trojan and information stealer infection. Analysis showed the malware stole user input and browser session cookies, contacted command-and-control infrastructure, and dropped a second-stage payload named vmtoolsIO.exe that established persistence via the VMwareIOHelperService auto-start service.
NCC Group and FOX-IT uncover SEO-poisoning campaign delivering AsyncRAT
Investigators uncovered a long-running campaign active since October 2025 that used fake download pages for more than 25 popular applications to deliver ZIP archives containing legitimate software and malicious DLL sideloading components. The infection chain silently installed ScreenConnect and ultimately deployed an AsyncRAT variant with credential theft, keylogging, clipboard monitoring, and cryptocurrency clipper capabilities.
Microsoft discloses Storm-2561 VPN credential theft campaign
Microsoft publicly identified Storm-2561 as behind an ongoing credential theft operation that used SEO poisoning and spoofed VPN software sites to target enterprise users. The disclosure highlighted the risk of stolen VPN access enabling lateral movement, data theft, and follow-on attacks across industries and regions.
Technical details published on FileZilla RAT capabilities and C2 evasion
Analysis revealed the RAT supports credential theft, keylogging, screenshot capture, and hidden remote control through HVNC. The malware also used anti-VM and anti-sandbox checks and communicated with the command-and-control domain welcome.supp0v3.com via DNS-over-HTTPS through Cloudflare's 1.1.1.1 resolver.
EST Security identifies fake FileZilla sites delivering a RAT
EST Security analysts identified an active campaign using fake websites impersonating the official FileZilla download page to infect Windows users. The attackers bundled legitimate FileZilla software with a malicious DLL and used DLL sideloading plus a multi-stage in-memory loader to deploy a remote access trojan.
eSentire reports Kong RAT SEO-poisoning campaign targeting Chinese-speaking developers
eSentire disclosed a multi-stage malware campaign observed in March 2026 that used SEO poisoning and fake Chinese-language software sites for tools including FinalShell, Xshell, QuickQ, and Clash to deliver Kong RAT. The campaign targeted Chinese-speaking developers and IT professionals and used Alibaba Cloud OSS infrastructure, DLL sideloading, shellcode execution, and a COM UAC bypass for post-compromise control.
Blackpoint reports fake Teams installers dropping Oyster malware
Blackpoint SOC reported a campaign using SEO poisoning and malvertising to lure users searching for Microsoft Teams to spoofed download sites serving trojanized installers such as MSTeamsSetup.exe. The installer deployed the Oyster (Broomstick) backdoor, established persistence with a scheduled task named CaptureService, and used signed binaries and spoofed domains to appear legitimate.
Storm-2561 uses signed trojanized VPN installers to steal credentials
In the campaign, attackers distributed fake MSI installers that dropped legitimate-looking executables and malicious DLLs, including a Hyrax infostealer variant, to steal VPN credentials and configuration data. Microsoft found the malware was signed with a certificate issued to Taiyuan Lihua Near Information Technology Co., Ltd., which was later revoked.
Storm-2561 begins SEO-poisoning campaign targeting VPN users
Microsoft said the financially motivated Storm-2561 campaign has been active since at least May 2025, using SEO manipulation to lure enterprise users to spoofed VPN software sites. The actor impersonated brands including Pulse Secure, Fortinet, Ivanti, GlobalProtect, and Sophos Connect to distribute malicious ZIP packages.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Foxit Impersonation: Fake PDF Installer Deploys VNC Malware - Infosec.Pub
infosec.pub
Open sourceMulti-Stage SEO Poisoning Campaign Targets Chinese-Speaking Developers with Kong RAT | eSentire
esentire.com
Open sourceSEO Poisoning Leads to Sideloaded Microsoft Binary and #RMM Installation | Community Portal | Gurucul
community.gurucul.com
Open sourceDigital Forensics: Analyzing Fake Software - Hackers Arise
hackers-arise.com
Open sourceSEO Poisoning Campaign Impersonates 25+ Popular Apps to Deliver AsyncRAT Since October 2025
cybersecuritynews.com
Open sourceAttackers Use SEO Poisoning and Signed Trojans to Steal VPN Credentials
cybersecuritynews.com
Open sourceFake FileZilla Downloads Lead to RAT Infections Through Stealthy Multi-Stage Loader - Cyber Security News
cybersecuritynews.com
Open sourceMalicious Teams Installers Drop Oyster Malware - Blackpoint
blackpointcyber.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Impersonated Software Downloads Used to Deliver Malware via Lookalike Repos and Domains
Threat actors are abusing **software-brand impersonation** to trick users into installing malware from fake distribution points, relying on social engineering rather than software exploits. Datadog reported an active campaign using **fake GitHub repositories** that impersonate established technology companies and leverage the **ClickFix** technique—prompting victims to copy/paste commands into *Terminal* (macOS) or *PowerShell/Run* (Windows)—to install infostealers. Datadog observed iterative updates to the *MacSync* lure and a new macOS infostealer variant self-branded as **“SHub Stealer v2.0”**, with expanded capabilities including **persistence** and **remote access**, alongside anti-analysis/evasion features intended to hinder detection and track infection outcomes; Datadog also assessed signs the actor is expanding toward **Windows infostealer** functionality. Separately, Malwarebytes documented a lookalike **7-Zip** download site (`7zip[.]com`, impersonating the legitimate `7-zip.org`) distributing a **trojanized installer** that installs a working 7-Zip File Manager while silently converting infected Windows systems into **residential proxy nodes**. The installer was **Authenticode-signed** with a certificate issued to **Jozeal Network Technology Co., Limited** (now revoked), and it dropped additional components—`Uphero.exe` (service manager/update loader), `hero.exe` (Go-compiled proxy payload), and `hero.dll`—under `C:\Windows\SysWOW64\hero\`; one reported case surfaced via Microsoft Defender detection `Trojan:Win32/Malgent!MSR` after the system had been exposed for an extended period. Together, the reporting highlights a sustained risk from **trusted-brand impersonation** and “looks legitimate” installers/repositories that deliver credential theft or monetize endpoints via proxyware.
Mar 21, 2026
Storm-2561 SEO Poisoning Campaign Distributes Trojanized VPN Clients
**Microsoft disclosed an active credential-theft campaign by Storm-2561** that uses **SEO poisoning** and vendor impersonation to lure users searching for enterprise VPN software to attacker-controlled sites. Victims looking for products such as **Ivanti Pulse Secure, Cisco, Fortinet, Check Point, SonicWall, Sophos,** and **WatchGuard** are redirected to fake download pages and GitHub-hosted ZIP or MSI installers that appear legitimate. The trojanized installers are **digitally signed**, abuse **DLL sideloading**, and present fake VPN login prompts to capture usernames and passwords, which are then exfiltrated to attacker-controlled infrastructure.
Mar 21, 2026
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
Mar 21, 2026