SEO Manipulation and Trojans Used to Steal VPN Credentials

SEO Manipulation and Trojans Used to Steal VPN Credentials

Posted on By CWS

Introduction to the Threat

A cybercriminal group identified as Storm-2561 has been executing a credential theft operation since May 2025, leveraging search engine optimization (SEO) techniques to promote counterfeit VPN software to enterprise users. The campaign deceives employees searching for tools like Pulse Secure, Fortinet, and Ivanti, redirecting them to fraudulent sites that distribute harmful software packages.

Upon installation, these fake applications discreetly collect VPN credentials, transmitting them to servers controlled by the attackers without any visible alerts to the user.

SEO Tactics and Impersonation

Storm-2561 effectively manipulates SEO to elevate these fake websites in search results for terms such as “Pulse VPN download.” Users clicking these links are led to sites that closely mimic legitimate VPN provider portals, complete with authentic-looking logos and download prompts.

The malicious files, previously hosted on GitHub, have since been removed. These trojans were signed with a certificate from “Taiyuan Lihua Near Information Technology Co., Ltd.,” which has been revoked.

Detection and Identification

Microsoft Defender Experts uncovered the campaign in January 2026, attributing it to Storm-2561. This campaign aligns with the group’s history of using SEO exploitation and software impersonation for financial gains since May 2025.

The use of realistic-looking websites paired with legitimate digital signatures was a strategic move to reduce user suspicion and expand the campaign’s reach.

Infection Mechanism and Impact

The attack is delivered through a Windows Installer (MSI) package, disguised as a Pulse Secure installer, which drops malicious DLL files alongside a fake VPN client. These DLLs effectively steal VPN credentials by capturing data entered during fake login processes.

The broader impact threatens enterprise organizations that rely on VPNs for remote access. Compromised credentials can lead to unauthorized network access and subsequent attacks, with multiple trusted VPN brands being imitated.

Mitigation Strategies

To mitigate this threat, users should download software only from official vendor websites and avoid search engine links for software downloads. Implementing multi-factor authentication is crucial, as it can prevent access even if passwords are stolen.

Organizations should deploy endpoint detection and response tools, enable network protection, and enforce attack surface reduction rules to block untrusted executables. Security teams are advised to scrutinize files signed by unknown or recently revoked certificate authorities.

For more updates, follow our channels on Google News, LinkedIn, and X, and set CSN as your preferred source in Google.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Microsoft Teams “couldn’t connect” Error Following Recent Sidebar Update Microsoft Teams “couldn’t connect” Error Following Recent Sidebar Update Cyber Security News
CISA Warns of Windows Cloud Files Mini Filter 0-Day Vulnerability Exploited in Attacks CISA Warns of Windows Cloud Files Mini Filter 0-Day Vulnerability Exploited in Attacks Cyber Security News
Researchers Manipulate Stolen Data to Corrupt AI Models and Generate Inaccurate Outputs Researchers Manipulate Stolen Data to Corrupt AI Models and Generate Inaccurate Outputs Cyber Security News
Wing FTP Server Vulnerability Actively Exploited Wing FTP Server Vulnerability Actively Exploited Cyber Security News
Exposed ‘Kim’ Dump Exposes Kimsuky Hackers New Tactics, Techniques, and Infrastructure Exposed ‘Kim’ Dump Exposes Kimsuky Hackers New Tactics, Techniques, and Infrastructure Cyber Security News
Microsoft Patch Tuesday January 2026 Microsoft Patch Tuesday January 2026 Cyber Security News