Storm-2561 Credential Theft Campaign Exploits SEO to Target Enterprise VPN Users
Since May 2025, the financially motivated threat actor Storm-2561 has been conducting a credential theft campaign by manipulating search engine rankings to distribute fake VPN software. The operation targets employees searching for tools like Pulse Secure, Fortinet, and Ivanti, redirecting them to spoofed websites that deliver malicious download packages.
Victims who install the fake software unknowingly expose their VPN credentials, which are silently harvested and sent to attacker-controlled servers. The campaign leverages SEO poisoning to push fraudulent sites to the top of search results for queries such as “Pulse VPN download.” These sites mimic legitimate vendor portals, complete with logos and download buttons, while hosting malicious ZIP files on GitHub repositories since removed.
The trojans were digitally signed with a certificate issued to “Taiyuan Lihua Near Information Technology Co., Ltd.”, which has since been revoked. Microsoft Defender Experts identified the campaign in mid-January 2026, attributing it to Storm-2561 based on its history of malware distribution through SEO abuse and software impersonation.
After credential theft, the fake VPN client displays a convincing error message before redirecting the victim to the official vendor website, ensuring no visible signs of compromise. The attack delivers its payload via a Windows Installer (MSI) package disguised as a legitimate Pulse Secure installer, dropping malicious DLL files (dwmapi.dll and inspector.dll) that function as an in-memory loader and a variant of the Hyrax infostealer. The malware exfiltrates credentials to 194.76.226[.]93:8080 and maintains persistence via the Windows RunOnce registry key.
The campaign extends beyond Pulse Secure, with additional fake installers for GlobalProtect VPN and Sophos Connect discovered under the same certificate. Stolen credentials enable lateral movement within corporate networks, unauthorized data access, and follow-on attacks, posing a significant risk to enterprises relying on VPNs for remote operations. The attack’s sophistication combining realistic spoofing, legitimate-looking signatures, and post-compromise redirection makes detection particularly challenging.
Source: https://cybersecuritynews.com/attackers-use-seo-poisoning-and-signed-trojans/
Palo Alto Networks cybersecurity rating report: https://www.rankiteo.com/company/palo-alto-networks
Ivanti cybersecurity rating report: https://www.rankiteo.com/company/ivanti
Sophos cybersecurity rating report: https://www.rankiteo.com/company/sophos
PulseSecure Pte Ltd cybersecurity rating report: https://www.rankiteo.com/company/pulsesecure
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
"id": "PALIVASOPPULFOR1773764643",
"linkid": "palo-alto-networks, ivanti, sophos, pulsesecure, fortinet",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'Enterprise'}],
'attack_vector': 'SEO Poisoning, Malicious Downloads',
'data_breach': {'data_encryption': 'No (credentials exfiltrated in plaintext)',
'data_exfiltration': 'Yes (to 194.76.226[.]93:8080)',
'personally_identifiable_information': 'Potentially (if '
'credentials include '
'PII)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'VPN Credentials, Corporate '
'Network Access'},
'date_detected': '2026-01-15',
'description': 'Since May 2025, the financially motivated threat actor '
'Storm-2561 has been conducting a credential theft campaign by '
'manipulating search engine rankings to distribute fake VPN '
'software. The operation targets employees searching for tools '
'like Pulse Secure, Fortinet, and Ivanti, redirecting them to '
'spoofed websites that deliver malicious download packages. '
'Victims who install the fake software unknowingly expose '
'their VPN credentials, which are silently harvested and sent '
'to attacker-controlled servers.',
'impact': {'data_compromised': 'VPN Credentials, Corporate Network Access',
'identity_theft_risk': 'High',
'operational_impact': 'Unauthorized Access, Lateral Movement, Data '
'Exfiltration Risk',
'systems_affected': 'Enterprise VPN Systems (Pulse Secure, '
'Fortinet, Ivanti, GlobalProtect, Sophos '
'Connect)'},
'initial_access_broker': {'backdoors_established': 'Malicious DLLs '
'(dwmapi.dll, '
'inspector.dll)',
'entry_point': 'SEO-Poisoned Fake VPN Downloads',
'high_value_targets': 'Enterprise VPN Users'},
'investigation_status': 'Ongoing',
'motivation': 'Financial Gain',
'post_incident_analysis': {'root_causes': 'SEO Poisoning, Fake Software '
'Distribution, Lack of User '
'Verification'},
'references': [{'source': 'Microsoft Defender Experts'}],
'response': {'third_party_assistance': 'Microsoft Defender Experts'},
'threat_actor': 'Storm-2561',
'title': 'Storm-2561 Credential Theft Campaign Exploits SEO to Target '
'Enterprise VPN Users',
'type': 'Credential Theft',
'vulnerability_exploited': 'Social Engineering (Fake VPN Software), Lack of '
'User Awareness'}