Storm-2561 lures victims to spoofed VPN sites to harvest corporate logins

Attackers linked to Storm-2561 use SEO-poisoned search results to lure users to fake Ivanti, Cisco, and Fortinet VPN sites that steal corporate login credentials.

In mid-January 2026, Microsoft Defender Experts uncovered a credential-theft campaign attributed to Storm-2561. Threat actor is spreading fake enterprise VPN clients impersonating Ivanti, Cisco, and Fortinet software. By poisoning search engine results for queries like “Pulse Secure client” or “Pulse VPN download,” attackers redirect users to convincing spoofed vendor websites.

Users searching for legitimate software are redirected to malicious ZIP archives hosted on GitHub, containing trojanized installers that impersonate trusted VPN tools and steal login credentials. Active since May 2025, the group frequently mimics well-known software vendors to gain trust and increase infection rates. The malware in this campaign was digitally signed with a legitimate certificate later revoked.

“In this campaign, users searching for legitimate VPN software are redirected from search results to spoofed websites that closely mimic trusted VPN products but instead deploy malware designed to harvest credentials and VPN data.” reads the report published by Microsoft. “When users click to download the software, they are redirected to a malicious GitHub repository (no longer available) that hosts the fake VPN client for direct download.”

Victims downloading the software receive a ZIP file hosted on GitHub containing a trojanized MSI that imitates legitimate VPN clients. When executed, the installer drops files in a directory resembling a real Pulse Secure installation path and side-loads malicious DLLs. One loader deploys the Hyrax infostealer, which harvests VPN credentials and exfiltrates them to attacker-controlled servers.

Attackers digitally signed the MSI and DLL files using a certificate from Taiyuan Lihua Near Information Technology Co., Ltd. to evade detection. The certificate has since been revoked.

“To maintain access, the MSI malware establishes persistence during installation through the Windows RunOnce registry key, adding the Pulse.exe malware to run when the device reboots.” continues the report.

Microsoft detailed a fake VPN client in a Storm-2561 campaign mimicking the Pulse Secure login interface to steal credentials. Instead of connecting to a VPN, it captures credentials and exfiltrates them to attacker-controlled infrastructure at 194.76.226[.]93:8080. Users see a fake error message after submission and are redirected to install the legitimate VPN client. The malware’s inspector.dll also accesses stored VPN data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat for exfiltration.

A key defense-evasion tactic in this campaign is the post-theft redirection. After stealing credentials, the fake VPN app shows a believable error message, instructs the user to download the legitimate Pulse VPN client, and may open the official VPN site in a browser. If users later install the real VPN successfully, there are no visible signs of compromise, making the initial malware activity appear like a technical glitch rather than an attack.

Microsoft provided indicators of compromise (IoCs) for this campaign along with recommendations on how to defend against credential theft campaigns.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Storm-2561)