SEO Manipulation and Trojans Used to Steal VPN Credentials

SEO Manipulation and Trojans Used to Steal VPN Credentials

Posted on By CWS

Introduction to the Threat

A cybercriminal group identified as Storm-2561 has been executing a credential theft operation since May 2025, leveraging search engine optimization (SEO) techniques to promote counterfeit VPN software to enterprise users. The campaign deceives employees searching for tools like Pulse Secure, Fortinet, and Ivanti, redirecting them to fraudulent sites that distribute harmful software packages.

Upon installation, these fake applications discreetly collect VPN credentials, transmitting them to servers controlled by the attackers without any visible alerts to the user.

SEO Tactics and Impersonation

Storm-2561 effectively manipulates SEO to elevate these fake websites in search results for terms such as “Pulse VPN download.” Users clicking these links are led to sites that closely mimic legitimate VPN provider portals, complete with authentic-looking logos and download prompts.

The malicious files, previously hosted on GitHub, have since been removed. These trojans were signed with a certificate from “Taiyuan Lihua Near Information Technology Co., Ltd.,” which has been revoked.

Detection and Identification

Microsoft Defender Experts uncovered the campaign in January 2026, attributing it to Storm-2561. This campaign aligns with the group’s history of using SEO exploitation and software impersonation for financial gains since May 2025.

The use of realistic-looking websites paired with legitimate digital signatures was a strategic move to reduce user suspicion and expand the campaign’s reach.

Infection Mechanism and Impact

The attack is delivered through a Windows Installer (MSI) package, disguised as a Pulse Secure installer, which drops malicious DLL files alongside a fake VPN client. These DLLs effectively steal VPN credentials by capturing data entered during fake login processes.

The broader impact threatens enterprise organizations that rely on VPNs for remote access. Compromised credentials can lead to unauthorized network access and subsequent attacks, with multiple trusted VPN brands being imitated.

Mitigation Strategies

To mitigate this threat, users should download software only from official vendor websites and avoid search engine links for software downloads. Implementing multi-factor authentication is crucial, as it can prevent access even if passwords are stolen.

Organizations should deploy endpoint detection and response tools, enable network protection, and enforce attack surface reduction rules to block untrusted executables. Security teams are advised to scrutinize files signed by unknown or recently revoked certificate authorities.

For more updates, follow our channels on Google News, LinkedIn, and X, and set CSN as your preferred source in Google.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

AMD Warns of Transient Scheduler Attacks Affecting Wide Range of Chipsets AMD Warns of Transient Scheduler Attacks Affecting Wide Range of Chipsets Cyber Security News
Hackers Registered 13,000+ Unique Domains and Leverages Cloudflare to Launch Clickfix Attacks Hackers Registered 13,000+ Unique Domains and Leverages Cloudflare to Launch Clickfix Attacks Cyber Security News
Malware Disguised as Teams and Zoom Apps Targets Enterprises Malware Disguised as Teams and Zoom Apps Targets Enterprises Cyber Security News
Cognizant Hit With Multiple US Class-Action Lawsuits Following TriZetto Data Breach Cognizant Hit With Multiple US Class-Action Lawsuits Following TriZetto Data Breach Cyber Security News
Critical Honeywell CCTV Flaw Exposes User Accounts Critical Honeywell CCTV Flaw Exposes User Accounts Cyber Security News
Dgraph Database Flaw Endangers Security with Bypass Vulnerability Dgraph Database Flaw Endangers Security with Bypass Vulnerability Cyber Security News