Security researchers at Microsoft have uncovered an ongoing credential theft campaign attributed to the threat actor Storm-2561, which uses search engine manipulation and fake VPN installers to compromise enterprise credentials.
According to an analysis published by Microsoft Threat Intelligence last week, the financially motivated group has been active since May 2025 and relies heavily on Search Engine Optimization (SEO)-based poisoning techniques to lure victims.
Users searching online for legitimate enterprise VPN software are redirected to attacker-controlled websites that closely mimic trusted vendor pages.
These sites host malicious ZIP downloads containing trojanized installers designed to resemble legitimate VPN clients. In several observed cases, the downloads were hosted on repositories at GitHub before being removed.
Microsoft researchers say the approach targets users at a moment of high trust, when they are actively looking for official enterprise tools.
Fake VPN Installers Deliver Infostealer Malware
The attack chain begins when a victim clicks a search result that redirects them to spoofed domains impersonating VPN vendors such as Fortinet or Ivanti. These sites prompt users to download a VPN client, which is actually a malicious Windows installer packaged in a ZIP archive.
Once launched, the installer places files into paths typically used by legitimate VPN software tools. During installation, it side-loads malicious Dynamic Link Library (DLL) files that deploy an infostealer variant known as Hyrax.
The fake VPN client then presents a login interface designed to look identical to the legitimate software. When victims try to log in, the malware captures usernames, passwords, and VPN configuration data, transmitting them to attacker-controlled command-and-control infrastructure.
To obtain persistence, the malware adds a RunOnce registry entry to make it possible for the malicious executable to re-launch after system reboot.
Microsoft also found that the attackers signed the malicious installers using a legitimate certificate that has since been revoked. Code-signing abuse helps malware bypass Windows security warnings and may evade some application whitelisting policies.
After harvesting credentials, the malware shows an error message and redirects users to download the real VPN client from the vendor’s official site. This tactic reduces suspicion because the legitimate software ultimately works as expected.
Microsoft recommended organizations to deploy Endpoint Detection and Response (EDR) as well as the use of Multi-Factor Authentication (MFA). Turning on web protection features is also advised to help discover and block similar attacks.
