A cyber threat actor identified as Storm-2561 is focusing its efforts on VPN users through a sophisticated credential theft campaign, as reported by Microsoft. This malicious operation involves SEO poisoning to distribute malware, aiming to deceive users seeking VPN software with counterfeit versions.
Details of the Storm-2561 Campaign
Storm-2561 has been actively engaging in these malicious activities since at least May 2025. The group leverages search engine optimization poisoning to lead unsuspecting users to fraudulent websites. These sites mimic reputable software vendors, enhancing the likelihood of successful malware distribution.
The latest campaign, beginning in mid-January, targets individuals searching for VPN solutions, specifically enticing them to download trojans disguised as legitimate software. These trojans come with a genuine digital certificate, allowing them to bypass security detections more easily.
Exploitation Techniques and Distribution
The threat actor effectively exploited user trust in search engine rankings by hosting harmful payloads on GitHub repositories. These repositories, which have since been removed, contained a ZIP file with an MSI installer masquerading as Pulse Secure VPN software.
Through SEO poisoning tactics, searches for terms like ‘Pulse VPN download’ led to malicious results. Users clicking on these results were redirected to a harmful download site, where the payload was delivered via a ZIP archive from GitHub.
Technical Execution and Impact
Upon installation, the MSI file within the ZIP executed a DLL that launched the Hyrax information stealer. This malware collected URI and VPN credentials, transmitting them to a command-and-control server under the attacker’s control.
Both the MSI and DLL files bore legitimate signatures from Taiyuan Lihua Near Information Technology Co., Ltd., which have since been revoked. The counterfeit VPN client replicated the real application, prompting users to input their credentials, subsequently sent to the attackers.
The fake software also established persistence by adding itself to the Windows RunOnce registry key. After collecting credentials, it displayed an error message and directed users to download the authentic Pulse VPN client, sometimes opening the legitimate site in a browser.
Microsoft notes that if users proceed to install and utilize legitimate VPN software, they may not immediately realize the breach, attributing the initial failure to technical errors rather than malware.
