Microsoft Defender Experts have uncovered a sophisticated credential theft campaign orchestrated by the financially motivated threat actor Storm-2561. The campaign exploits search engine optimization (SEO) poisoning to redirect enterprise users searching for legitimate VPN software to malicious websites that distribute trojanized VPN clients.
How the Attack Works
Active since May 2025, Storm-2561 targets users searching for popular enterprise VPN products like Pulse Secure, Fortinet, and Ivanti VPN. When users click on poisoned search results, they’re redirected to convincing spoofed websites that closely mimic legitimate VPN vendor pages.
The malicious sites direct victims to download ZIP files hosted on attacker-controlled GitHub repositories. These ZIP files contain trojanized MSI installers that:
- Install to directories that mimic legitimate VPN software paths (e.g.,
%CommonFiles%\Pulse Secure) - Side-load malicious DLL files including dwmapi.dll (an in-memory loader) and inspector.dll (a variant of the Hyrax infostealer)
- Display convincing fake VPN login interfaces to harvest credentials
- Exfiltrate stolen credentials to attacker-controlled C2 infrastructure
Sophisticated Evasion Techniques
What makes this campaign particularly dangerous is Storm-2561’s post-credential theft behavior. After capturing user credentials, the malware:
- Displays a convincing error message indicating “installation failure”
- Provides instructions to download the legitimate VPN client from official sources
- Opens the user’s browser to the real VPN vendor website
This clever misdirection means victims often successfully install and use legitimate VPN software afterward, attributing the initial failure to technical issues rather than malware. By the time users establish working VPN connections, their credentials have already been exfiltrated.
Code Signing Abuse
The malicious MSI and DLL files were signed with a legitimate digital certificate from “Taiyuan Lihua Near Information Technology Co., Ltd.” (now revoked). This code signing abuse:
- Bypasses default Windows security warnings for unsigned code
- May bypass application whitelisting policies that trust signed binaries
- Reduces security tool alerts focused on unsigned malware
- Provides false legitimacy to the installation process
Indicators of Compromise
Microsoft has identified the following malicious infrastructure:
- Domains: vpn-fortinet[.]com, ivanti-vpn[.]org
- C2 Server: 194.76.226[.]93:8080
- Malware: Hyrax infostealer variant
Protection Recommendations
Organizations should:
- Enable cloud-delivered protection in Microsoft Defender Antivirus
- Run endpoint detection and response (EDR) in block mode
- Enable network protection and web protection
- Enforce multi-factor authentication (MFA) on all VPN connections
- Train employees to download software only from official vendor websites
- Monitor for unusual VPN client installations and registry modifications
Why This Matters
This campaign demonstrates how threat actors continue to exploit the implicit trust users place in search engine results and code-signed software. By targeting users actively seeking enterprise VPN solutions, attackers capitalize on urgency and trust in established brands. The sophisticated post-compromise behavior makes detection particularly challenging, as victims may never realize their credentials were stolen.
Organizations relying on VPN infrastructure should immediately audit recent VPN client installations and ensure all downloads originate from official vendor channels.
Source: Microsoft Security Blog
