Storm-2561 SEO Poisoning Campaign Distributing Fake VPN Clients
Microsoft disclosed that threat actor Storm-2561 used SEO poisoning to lure users searching for legitimate enterprise VPN software to attacker-controlled sites hosting malicious ZIP archives. The campaign delivered digitally signed trojans masquerading as trusted VPN clients, with payloads designed to steal VPN credentials; Microsoft said the GitHub repositories used to host the ZIP files were removed and the abused signing certificate was revoked. The activity was identified in mid-January 2026, and Microsoft linked it to a broader Storm-2561 pattern of impersonating well-known software vendors and abusing trusted platforms to improve legitimacy and evade suspicion.
The reporting is not fluff because it contains a specific threat campaign, attribution, delivery chain, and defensive implications. A broader weekly bulletin also referenced the same fake VPN client / credential theft activity as one item among several security developments, making it relevant but less detailed. A separate newsletter on detection engineering maturity and product promotion is unrelated to the Storm-2561 intrusion set and should be excluded from the incident summary.
Timeline
Mar 12, 2026
Microsoft publishes Storm-2561 attribution and IOCs
Microsoft publicly attributed the fake VPN campaign to Storm-2561 and released technical details, mitigations, detections, hunting guidance, and indicators of compromise including hashes, domains, and C2 information.
Mar 12, 2026
Malicious signing certificate is revoked and GitHub payloads removed
The campaign's binaries were signed with a legitimate certificate tied to 'Taiyuan Lihua Near Information Technology Co., Ltd.'; Microsoft said the certificate has since been revoked and the GitHub repositories hosting the payloads were taken down.
Jan 15, 2026
Trojanized VPN installers steal credentials and VPN configs
The fake VPN packages dropped a Pulse Secure-like application and side-loaded malicious DLLs, including a Hyrax variant that captured and exfiltrated VPN credentials and configuration data before redirecting users to the legitimate VPN client.
Jan 15, 2026
Microsoft identifies Storm-2561 fake VPN credential-theft campaign
In mid-January 2026, Microsoft Defender Experts identified a campaign in which victims were lured via SEO poisoning to spoofed enterprise VPN download sites and attacker-controlled GitHub releases hosting trojanized installers.
May 1, 2025
Storm-2561 begins activity impersonating software vendors
Microsoft said the financially motivated threat actor Storm-2561 has been active since May 2025, using search-result impersonation of popular software vendors as part of its operations.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Affected Products
Sources
Related Stories
Storm-2561 SEO Poisoning Campaign Distributes Trojanized VPN Clients
**Microsoft disclosed an active credential-theft campaign by Storm-2561** that uses **SEO poisoning** and vendor impersonation to lure users searching for enterprise VPN software to attacker-controlled sites. Victims looking for products such as **Ivanti Pulse Secure, Cisco, Fortinet, Check Point, SonicWall, Sophos,** and **WatchGuard** are redirected to fake download pages and GitHub-hosted ZIP or MSI installers that appear legitimate. The trojanized installers are **digitally signed**, abuse **DLL sideloading**, and present fake VPN login prompts to capture usernames and passwords, which are then exfiltrated to attacker-controlled infrastructure.
1 months ago
SEO Poisoning and Fake Software Downloads Used to Deliver Credential Theft and RAT Malware
Threat actors are using **software impersonation** and **SEO poisoning** to push victims toward fake download sites for trusted enterprise and IT tools, then delivering malware through trojanized installers. In one campaign, **Storm-2561** used spoofed VPN vendor pages for products such as **Pulse Secure, Fortinet, and Ivanti** to steal enterprise VPN credentials. The malicious packages were hosted on GitHub, signed with a certificate issued to **"Taiyuan Lihua Near Information Technology Co., Ltd."**, and designed to show an error before redirecting victims to the legitimate vendor site, reducing suspicion while exfiltrating credentials. A separate but closely related campaign used fake **FileZilla** download pages to distribute a **Remote Access Trojan** through multi-stage loaders and **DLL sideloading**. Attackers bundled legitimate FileZilla software with a malicious `version.dll`, or dropped the DLL during installation so the malware would execute while the expected application appeared to install normally. Both reports describe the same broader intrusion pattern: adversaries abusing trusted brands, realistic lookalike websites, and legitimate software packaging to compromise users who believe they are downloading authentic tools. A separate **Warlock** intrusion analysis describing web shells, lateral movement, tunneling, and ransomware activity is a different incident and does not match this malware-delivery story.
1 weeks ago
Storm-0249 Uses EDR Abuse and ClickFix for Stealthy Ransomware Deployment
Storm-0249, an initial access broker previously known for selling access to compromised networks, has adopted advanced techniques to facilitate ransomware attacks. The group now leverages social engineering tactics such as ClickFix, which tricks users into executing malicious commands via the Windows Run dialog. These commands use legitimate utilities like `curl.exe` to download and execute fileless PowerShell scripts from spoofed Microsoft domains, ultimately deploying malicious MSI packages with SYSTEM privileges. The attack chain includes DLL sideloading, where a trojanized DLL is placed alongside legitimate EDR components (notably SentinelOne's `SentinelAgentWorker.exe`), allowing the attacker's code to run within trusted processes and evade detection. Once persistence is established, Storm-0249 abuses EDR tools to collect system information and maintain stealthy access, making detection and remediation challenging for defenders. This evolution in Storm-0249's tactics demonstrates a shift from mass phishing to highly targeted, stealthy operations that exploit trusted security software for malicious purposes. The abuse of EDR solutions not only enables the bypassing of traditional security controls but also provides a reliable foothold for ransomware deployment. Security researchers recommend implementing robust email filtering, monitoring for unusual use of legitimate utilities, and updating detection rules to identify these advanced techniques. Organizations are urged to review their EDR configurations and monitor for signs of DLL sideloading and unauthorized PowerShell activity to mitigate the risk posed by this threat actor.
1 months ago