Threat Actor Storm-2561 Launches Credential Theft Campaign Using SEO Poisoning
A growing cybersecurity concern has emerged as the financially motivated threat actor, identified as Storm-2561, intensifies its credential theft campaign. This illicit initiative utilizes search engine optimization (SEO) poisoning along with counterfeit, signed VPN installers to illicitly acquire enterprise VPN credentials from unsuspecting users.
Since its inception in May 2025, Storm-2561 has adeptly exploited the inherent trust users place in search engine results, particularly targeting well-known VPN brands and legitimate code-signing certificates. By capitalizing on such trust, the group has successfully distributed malware disguised as reliable remote access tools, leading to significant security vulnerabilities for various organizations.
To perpetrate this scheme, attackers implement SEO poisoning strategies that elevate malicious web pages to the forefront of search results, thereby attracting victims searching for legitimate VPN software. Once users engage with these fraudulent links, they are redirected to fake VPN download sites hosted on domains controlled by the threat actors, such as vpn-fortinet[.]com and ivanti-vpn[.]org.
From these deceptive vendor pages, victims are further misled to a malicious repository on GitHub that, though now removed, previously harbored a ZIP archive named VPN-CLIENT.zip. This archive contained a malicious MSI installer, masquerading as a legitimate VPN client.
In mid-January 2026, Microsoft Defender Experts uncovered a new wave of Storm-2561 attacks, particularly targeting those seeking enterprise VPN solutions like Pulse Secure. These installers, which appear to be authentic VPN clients, indeed deploy signed malware components designed specifically to steal user VPN credentials and sensitive configuration data.
Upon execution, the malicious MSI installer introduces a component named Pulse.exe, while concurrently dropping additional malicious Dynamic Link Libraries (DLLs) such as dwmapi.dll and inspector.dll. These files are placed within a directory structured to mimic that of a genuine Pulse Secure installation, typically found in paths like %CommonFiles%\Pulse Secure.
Notably, the dwmapi.dll acts as an in-memory loader, executing embedded shellcode that subsequently activates inspector.dll, which is recognized as a variant of the Hyrax information-stealing malware. This malware variant focuses on siphoning off URI and VPN login details, including crucial configuration information stored in files located at C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat. The stolen data is then exfiltrated to a command-and-control (C2) server controlled by the attackers, located at the IP address 194.76.226[.]93:8080.
Microsoft cybersecurity insights indicate that Storm-2561’s operations align with a clearly defined methodology: utilizing SEO poisoning combined with branded counterfeit software to monetarily benefit from stolen credentials. A critical element in this elaborate scheme is the exploitation of a legitimate code-signing certificate previously issued to the Taiyuan Lihua Near Information Technology Co., Ltd., a certificate that has since been revoked.
Its malicious installers and accompanying DLLs, all signed with this certificate, allow the malware to bypass Windows warnings regarding unsigned code. This capability not only aids in circumventing application allowlisting protocols but also minimizes alerts from security mechanisms that are typically fine-tuned to detect unsigned executables.
In addition to the MSI and DLL files, multiple other counterfeit VPN binaries—such as Pulse.exe, Sophos-Connect-Client.exe, GlobalProtect-VPN.exe, VPN-Client.exe, and vpn.exe—have been found to be signed with the same certificate, suggesting a broader distribution effort under a unified signing identity. This systematic abuse of code-signing practices provides these fake installers with a deceptive appearance of legitimacy that may mislead both users and various security controls.
Upon initiating, the counterfeit VPN client interfaces closely resemble the legitimate Pulse Secure client, prompting users to enter their VPN credentials. Instead of establishing a secure VPN tunnel, the counterfeit application immediately siphons off the supplied credentials, funneling them to the Storm-2561 C2 server. Users are subsequently misled by a fabricated error message claiming that the installation process failed, further obscuring the malicious activity.
To evade detection and reduce suspicions, the malware often redirects users to download the authentic VPN client by occasionally opening the official vendor page. This tactic enables the victim to ultimately install a genuine VPN application without perceiving any immediate indicators of compromise.
Furthermore, Microsoft Defender surfaces various anomalies, such as unexpected DLL side-loading by VPN installers and unusual changes to Windows autorun registry locations that aid in persistence. The intricate pattern of redirection, combined with the authentic branding, has led users to attribute any complications to standard technical difficulties rather than recognizing the underlying threat posed by malware.
To adhere to a consistent presence on infected systems, the malware ensures that Pulse.exe is configured to execute at system startup using the Windows RunOnce registry key.
Microsoft Defender Antivirus classifies malware linked to this campaign as Trojan:Win32/Malgent and TrojanSpy:Win64/Hyrax. Defender for Endpoint can actively block Malgent and Hyrax activities while alerting users to VPN processes originating from suspicious locations.
To mitigate potential exposure to similar credential theft threats, Microsoft recommends several proactive measures: activating cloud-delivered protection and Endpoint Detection and Response (EDR) in block mode, enabling comprehensive network and web protection, enforcing multifactor authentication for all accounts, and disabling the storage of corporate credentials within personal browsers or password vaults. Additionally, organizations are urged to apply attack surface reduction rules to restrict the execution of low-prevalence binaries and utilize advanced hunting queries to identify files signed by Taiyuan Lihua Near Information Technology Co., Ltd. or any dubious DLL activities related to Pulse Secure paths.
As organizations navigate the complex landscape of cybersecurity threats, the activities of Storm-2561 underscore the critical importance of vigilance and robust security measures to safeguard sensitive information against sophisticated malicious campaigns.