SEO Poisoning and Fake Software Downloads Used to Deliver Credential Theft and RAT Malware
Threat actors are using software impersonation and SEO poisoning to push victims toward fake download sites for trusted enterprise and IT tools, then delivering malware through trojanized installers. In one campaign, Storm-2561 used spoofed VPN vendor pages for products such as Pulse Secure, Fortinet, and Ivanti to steal enterprise VPN credentials. The malicious packages were hosted on GitHub, signed with a certificate issued to "Taiyuan Lihua Near Information Technology Co., Ltd.", and designed to show an error before redirecting victims to the legitimate vendor site, reducing suspicion while exfiltrating credentials.
A separate but closely related campaign used fake FileZilla download pages to distribute a Remote Access Trojan through multi-stage loaders and DLL sideloading. Attackers bundled legitimate FileZilla software with a malicious version.dll, or dropped the DLL during installation so the malware would execute while the expected application appeared to install normally. Both reports describe the same broader intrusion pattern: adversaries abusing trusted brands, realistic lookalike websites, and legitimate software packaging to compromise users who believe they are downloading authentic tools. A separate Warlock intrusion analysis describing web shells, lateral movement, tunneling, and ransomware activity is a different incident and does not match this malware-delivery story.
Timeline
Apr 26, 2026
Fake Foxit PDF Reader installer campaign deploys UltraVNC malware
Attackers impersonated Foxit PDF Reader with trojanized installer packages that masqueraded as legitimate software downloads. The fake installer deployed UltraVNC to establish stealthy remote access on compromised systems, reflecting a software-impersonation and social-engineering malware campaign.
Apr 16, 2026
Gurucul reports fake TestDisk site installing trojanized ScreenConnect
Gurucul disclosed an SEO-poisoning campaign redirecting users searching for TestDisk to the spoofed domain testdisk[.]dev, where a fake PhotoRec installer delivered a ZIP containing a renamed Microsoft Setup binary that side-loaded a malicious autorun.dll. The multi-stage infection ultimately installed legitimate TestDisk software alongside a trojanized ScreenConnect client for persistent remote access, and the report published related IOCs including domain, URL, IP 193.42.11.108, and a SHA-256 hash.
Mar 27, 2026
Forensic analysis links fake Sysinternals tool to infostealer infection
A forensic investigation found that a user downloaded and ran a fake Sysinternals executable from a malicious website, leading to a trojan and information stealer infection. Analysis showed the malware stole user input and browser session cookies, contacted command-and-control infrastructure, and dropped a second-stage payload named vmtoolsIO.exe that established persistence via the VMwareIOHelperService auto-start service.
Mar 23, 2026
NCC Group and FOX-IT uncover SEO-poisoning campaign delivering AsyncRAT
Investigators uncovered a long-running campaign active since October 2025 that used fake download pages for more than 25 popular applications to deliver ZIP archives containing legitimate software and malicious DLL sideloading components. The infection chain silently installed ScreenConnect and ultimately deployed an AsyncRAT variant with credential theft, keylogging, clipboard monitoring, and cryptocurrency clipper capabilities.
Mar 17, 2026
Microsoft discloses Storm-2561 VPN credential theft campaign
Microsoft publicly identified Storm-2561 as behind an ongoing credential theft operation that used SEO poisoning and spoofed VPN software sites to target enterprise users. The disclosure highlighted the risk of stolen VPN access enabling lateral movement, data theft, and follow-on attacks across industries and regions.
Mar 16, 2026
Technical details published on FileZilla RAT capabilities and C2 evasion
Analysis revealed the RAT supports credential theft, keylogging, screenshot capture, and hidden remote control through HVNC. The malware also used anti-VM and anti-sandbox checks and communicated with the command-and-control domain welcome.supp0v3.com via DNS-over-HTTPS through Cloudflare's 1.1.1.1 resolver.
Mar 16, 2026
EST Security identifies fake FileZilla sites delivering a RAT
EST Security analysts identified an active campaign using fake websites impersonating the official FileZilla download page to infect Windows users. The attackers bundled legitimate FileZilla software with a malicious DLL and used DLL sideloading plus a multi-stage in-memory loader to deploy a remote access trojan.
Mar 1, 2026
eSentire reports Kong RAT SEO-poisoning campaign targeting Chinese-speaking developers
eSentire disclosed a multi-stage malware campaign observed in March 2026 that used SEO poisoning and fake Chinese-language software sites for tools including FinalShell, Xshell, QuickQ, and Clash to deliver Kong RAT. The campaign targeted Chinese-speaking developers and IT professionals and used Alibaba Cloud OSS infrastructure, DLL sideloading, shellcode execution, and a COM UAC bypass for post-compromise control.
Oct 31, 2025
Blackpoint reports fake Teams installers dropping Oyster malware
Blackpoint SOC reported a campaign using SEO poisoning and malvertising to lure users searching for Microsoft Teams to spoofed download sites serving trojanized installers such as MSTeamsSetup.exe. The installer deployed the Oyster (Broomstick) backdoor, established persistence with a scheduled task named CaptureService, and used signed binaries and spoofed domains to appear legitimate.
May 1, 2025
Storm-2561 uses signed trojanized VPN installers to steal credentials
In the campaign, attackers distributed fake MSI installers that dropped legitimate-looking executables and malicious DLLs, including a Hyrax infostealer variant, to steal VPN credentials and configuration data. Microsoft found the malware was signed with a certificate issued to Taiyuan Lihua Near Information Technology Co., Ltd., which was later revoked.
May 1, 2025
Storm-2561 begins SEO-poisoning campaign targeting VPN users
Microsoft said the financially motivated Storm-2561 campaign has been active since at least May 2025, using SEO manipulation to lure enterprise users to spoofed VPN software sites. The actor impersonated brands including Pulse Secure, Fortinet, Ivanti, GlobalProtect, and Sophos Connect to distribute malicious ZIP packages.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
3 more from sources like cyber security news and blackpoint cyber
Related Stories
Impersonated Software Downloads Used to Deliver Malware via Lookalike Repos and Domains
Threat actors are abusing **software-brand impersonation** to trick users into installing malware from fake distribution points, relying on social engineering rather than software exploits. Datadog reported an active campaign using **fake GitHub repositories** that impersonate established technology companies and leverage the **ClickFix** technique—prompting victims to copy/paste commands into *Terminal* (macOS) or *PowerShell/Run* (Windows)—to install infostealers. Datadog observed iterative updates to the *MacSync* lure and a new macOS infostealer variant self-branded as **“SHub Stealer v2.0”**, with expanded capabilities including **persistence** and **remote access**, alongside anti-analysis/evasion features intended to hinder detection and track infection outcomes; Datadog also assessed signs the actor is expanding toward **Windows infostealer** functionality. Separately, Malwarebytes documented a lookalike **7-Zip** download site (`7zip[.]com`, impersonating the legitimate `7-zip.org`) distributing a **trojanized installer** that installs a working 7-Zip File Manager while silently converting infected Windows systems into **residential proxy nodes**. The installer was **Authenticode-signed** with a certificate issued to **Jozeal Network Technology Co., Limited** (now revoked), and it dropped additional components—`Uphero.exe` (service manager/update loader), `hero.exe` (Go-compiled proxy payload), and `hero.dll`—under `C:\Windows\SysWOW64\hero\`; one reported case surfaced via Microsoft Defender detection `Trojan:Win32/Malgent!MSR` after the system had been exposed for an extended period. Together, the reporting highlights a sustained risk from **trusted-brand impersonation** and “looks legitimate” installers/repositories that deliver credential theft or monetize endpoints via proxyware.
1 months ago
Storm-2561 SEO Poisoning Campaign Distributes Trojanized VPN Clients
**Microsoft disclosed an active credential-theft campaign by Storm-2561** that uses **SEO poisoning** and vendor impersonation to lure users searching for enterprise VPN software to attacker-controlled sites. Victims looking for products such as **Ivanti Pulse Secure, Cisco, Fortinet, Check Point, SonicWall, Sophos,** and **WatchGuard** are redirected to fake download pages and GitHub-hosted ZIP or MSI installers that appear legitimate. The trojanized installers are **digitally signed**, abuse **DLL sideloading**, and present fake VPN login prompts to capture usernames and passwords, which are then exfiltrated to attacker-controlled infrastructure.
1 months ago
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
1 months ago