SEO Manipulation and Trojans Used to Steal VPN Credentials

SEO Manipulation and Trojans Used to Steal VPN Credentials

Posted on By CWS

Introduction to the Threat

A cybercriminal group identified as Storm-2561 has been executing a credential theft operation since May 2025, leveraging search engine optimization (SEO) techniques to promote counterfeit VPN software to enterprise users. The campaign deceives employees searching for tools like Pulse Secure, Fortinet, and Ivanti, redirecting them to fraudulent sites that distribute harmful software packages.

Upon installation, these fake applications discreetly collect VPN credentials, transmitting them to servers controlled by the attackers without any visible alerts to the user.

SEO Tactics and Impersonation

Storm-2561 effectively manipulates SEO to elevate these fake websites in search results for terms such as “Pulse VPN download.” Users clicking these links are led to sites that closely mimic legitimate VPN provider portals, complete with authentic-looking logos and download prompts.

The malicious files, previously hosted on GitHub, have since been removed. These trojans were signed with a certificate from “Taiyuan Lihua Near Information Technology Co., Ltd.,” which has been revoked.

Detection and Identification

Microsoft Defender Experts uncovered the campaign in January 2026, attributing it to Storm-2561. This campaign aligns with the group’s history of using SEO exploitation and software impersonation for financial gains since May 2025.

The use of realistic-looking websites paired with legitimate digital signatures was a strategic move to reduce user suspicion and expand the campaign’s reach.

Infection Mechanism and Impact

The attack is delivered through a Windows Installer (MSI) package, disguised as a Pulse Secure installer, which drops malicious DLL files alongside a fake VPN client. These DLLs effectively steal VPN credentials by capturing data entered during fake login processes.

The broader impact threatens enterprise organizations that rely on VPNs for remote access. Compromised credentials can lead to unauthorized network access and subsequent attacks, with multiple trusted VPN brands being imitated.

Mitigation Strategies

To mitigate this threat, users should download software only from official vendor websites and avoid search engine links for software downloads. Implementing multi-factor authentication is crucial, as it can prevent access even if passwords are stolen.

Organizations should deploy endpoint detection and response tools, enable network protection, and enforce attack surface reduction rules to block untrusted executables. Security teams are advised to scrutinize files signed by unknown or recently revoked certificate authorities.

For more updates, follow our channels on Google News, LinkedIn, and X, and set CSN as your preferred source in Google.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Shai Hulud v2 Exploits GitHub Actions Workflows as Attack Vector to Steal Secrets Shai Hulud v2 Exploits GitHub Actions Workflows as Attack Vector to Steal Secrets Cyber Security News
Huge Wave of Malicious Efimer Malicious Script Attack Users via WordPress Sites, Malicious Torrents, and Email Huge Wave of Malicious Efimer Malicious Script Attack Users via WordPress Sites, Malicious Torrents, and Email Cyber Security News
Seven QNAP Zero-Day Vulnerabilities Exploited at Pwn2Own 2025 Now Patched Seven QNAP Zero-Day Vulnerabilities Exploited at Pwn2Own 2025 Now Patched Cyber Security News
New Malware Strains Increase Threats to Network Devices New Malware Strains Increase Threats to Network Devices Cyber Security News
SUSE Rancher Vulnerabilities Let Attackers Lockout the Administrators Account SUSE Rancher Vulnerabilities Let Attackers Lockout the Administrators Account Cyber Security News
Biggest Ever GreedyBear Attack With 650 Hacking Tools Stolen Million from Victims Biggest Ever GreedyBear Attack With 650 Hacking Tools Stolen $1 Million from Victims Cyber Security News