Storm-2561 Exploits SEO Poisoning and Fake VPN Installers in Credential Theft Campaign
Since May 2025, the financially motivated threat actor Storm-2561 has been conducting a credential theft campaign targeting enterprise VPN users by abusing SEO poisoning and trojanized VPN installers. The group leverages fake, code-signed software to harvest VPN credentials and configuration data, exploiting trust in search results and legitimate security certificates.
In mid-January 2026, Microsoft Defender Experts identified a renewed campaign where Storm-2561 manipulated search engine results to direct victims to spoofed VPN download sites, such as vpn-fortinet[.]com and ivanti-vpn[.]org. These domains mimicked well-known VPN vendors, including Fortinet, Pulse Secure, and Ivanti, before redirecting users to a now-removed malicious GitHub repository hosting a ZIP file (VPN-CLIENT.zip) containing a trojanized MSI installer.
The installer, disguised as a legitimate VPN client, deployed signed malware components including Pulse.exe, dwmapi.dll, and inspector.dll under a path imitating a real Pulse Secure installation (%CommonFiles%\Pulse Secure). The dwmapi.dll acted as an in-memory loader, executing shellcode to load inspector.dll, a variant of the Hyrax information stealer. This malware targeted stored VPN credentials and configuration data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat, exfiltrating them to a command-and-control server at 194.76.226[.]93:8080.
A key tactic in this campaign was the abuse of a legitimate code-signing certificate issued to Taiyuan Lihua Near Information Technology Co., Ltd., which was later revoked. The signed MSI and DLLs bypassed Windows security warnings and evaded detection by some security tools, lending the malware a false appearance of legitimacy. Additional signed samples, including Sophos-Connect-Client.exe and GlobalProtect-VPN.exe, indicated a broader distribution effort under the same certificate.
The fake VPN client displayed a realistic GUI mimicking Pulse Secure, prompting users for credentials before exfiltrating them and displaying a fake error message. To avoid suspicion, the malware sometimes redirected victims to the official vendor site, ensuring they ultimately installed a legitimate VPN leaving no immediate signs of compromise. Persistence was maintained via the Windows RunOnce registry key, ensuring the malware executed at reboot.
Microsoft Defender Antivirus detects the payloads as Trojan:Win32/Malgent and TrojanSpy:Win64/Hyrax, while Defender for Endpoint can block active infections and flag unusual VPN process execution. The campaign highlights Storm-2561’s reliance on SEO manipulation, brand impersonation, and code-signing abuse to monetize stolen credentials.
Source: https://gbhackers.com/storm-2561-uses-seo-poisoning/
Pulse Secure cybersecurity rating report: https://www.rankiteo.com/company/pulse-secure
Sophos cybersecurity rating report: https://www.rankiteo.com/company/sophos
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
Ivanti cybersecurity rating report: https://www.rankiteo.com/company/ivanti
"id": "PULSOPFORIVA1773404773",
"linkid": "pulse-secure, sophos, fortinet, ivanti",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Cybersecurity',
'name': 'Fortinet',
'type': 'VPN Vendor'},
{'industry': 'Cybersecurity',
'name': 'Pulse Secure',
'type': 'VPN Vendor'},
{'industry': 'Cybersecurity',
'name': 'Ivanti',
'type': 'VPN Vendor'}],
'attack_vector': ['SEO Poisoning', 'Trojanized Installers'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['connectionstore.dat'],
'personally_identifiable_information': 'VPN credentials',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'VPN credentials and '
'configuration data'},
'date_detected': '2026-01-15',
'description': 'Since May 2025, the financially motivated threat actor '
'Storm-2561 has been conducting a credential theft campaign '
'targeting enterprise VPN users by abusing SEO poisoning and '
'trojanized VPN installers. The group leverages fake, '
'code-signed software to harvest VPN credentials and '
'configuration data, exploiting trust in search results and '
'legitimate security certificates. In mid-January 2026, '
'Microsoft Defender Experts identified a renewed campaign '
'where Storm-2561 manipulated search engine results to direct '
'victims to spoofed VPN download sites, such as '
'vpn-fortinet[.]com and ivanti-vpn[.]org. These domains '
'mimicked well-known VPN vendors, including Fortinet, Pulse '
'Secure, and Ivanti, before redirecting users to a malicious '
'GitHub repository hosting a trojanized MSI installer. The '
'malware targeted stored VPN credentials and exfiltrated them '
'to a command-and-control server.',
'impact': {'data_compromised': 'VPN credentials and configuration data',
'identity_theft_risk': 'High',
'systems_affected': 'Enterprise VPN users'},
'initial_access_broker': {'entry_point': 'SEO-poisoned search results and '
'trojanized VPN installers',
'high_value_targets': 'Enterprise VPN users'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The campaign highlights the risks of SEO manipulation, '
'brand impersonation, and code-signing abuse in credential '
'theft operations.',
'motivation': 'Financial Gain',
'post_incident_analysis': {'corrective_actions': ['Revoke abused certificates',
'Enhance detection of '
'signed malware',
'Improve user awareness of '
'fake download sites'],
'root_causes': ['Abuse of legitimate code-signing '
'certificates',
'SEO poisoning to distribute '
'trojanized installers',
'Brand impersonation of VPN '
'vendors']},
'recommendations': ['Block known malicious domains (e.g., vpn-fortinet[.]com, '
'ivanti-vpn[.]org)',
'Monitor for unusual VPN process execution',
'Revoke and investigate abused code-signing certificates',
'Educate users on verifying download sources'],
'references': [{'source': 'Microsoft Defender Experts'}],
'response': {'enhanced_monitoring': 'Microsoft Defender for Endpoint',
'third_party_assistance': 'Microsoft Defender Experts'},
'threat_actor': 'Storm-2561',
'title': 'Storm-2561 Exploits SEO Poisoning and Fake VPN Installers in '
'Credential Theft Campaign',
'type': 'Credential Theft'}