top of page
perceptive_background_267k.jpg

Fake enterprise VPN downloads used to steal company credentials

Published:

13 March 2026 at 13:23:28

Alert date:

13 March 2026 at 14:01:37

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Network Infrastructure, Ransomware & Malware, Identity & Access, Data Breach & Exfiltration

Threat actor Storm-2561 is distributing fake enterprise VPN clients impersonating legitimate vendors Ivanti, Cisco, and Fortinet to steal VPN credentials from corporate users. The campaign targets enterprise users by creating convincing fake download sites for popular VPN solutions. This represents an active credential theft operation that could lead to significant corporate network breaches. The attack leverages social engineering by mimicking trusted enterprise VPN providers. Organizations using these VPN solutions should verify download sources and implement additional security measures.

Technical details

Storm-2561 uses SEO poisoning to manipulate search results for VPN download queries, redirecting victims to fake websites that mimic legitimate VPN vendors. The attack delivers a ZIP archive containing a fake VPN MSI installer hosted on GitHub. When executed, it installs 'Pulse.exe' into %CommonFiles%\Pulse Secure, drops a loader (dwmapi.dll) and Hyrax infostealer variant (inspector.dll). The malware is digitally signed with a legitimate but revoked certificate from Taiyuan Lihua Near Information Technology Co., Ltd. It displays a fake login interface to capture credentials, steals VPN configuration data from 'connectionsstore.dat' file, then shows an installation error and redirects to legitimate vendor site. The malware creates persistence via Windows RunOnce registry key.

Mitigation steps:

Enable cloud-delivered protection in Defender, run EDR in block mode, enforce multi-factor authentication, use SmartScreen-enabled browsers, implement Microsoft's provided indicators of compromise (IoCs) and hunting guidance to detect and block this campaign early

Affected products:

Ivanti VPN clients
Cisco VPN clients
Fortinet VPN clients
Pulse VPN
Pulse Secure
Sophos VPN
Sonicwall VPN
Check Point VPN
WatchGuard VPN

Related links:

https://www.microsoft.com/en-us/security/blog/2026/03/12/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft/

Related CVE's:

Related threat actors:

IOC's:

Pulse.exe, dwmapi.dll, inspector.dll, connectionsstore.dat, Digital certificate from Taiyuan Lihua Near Information Technology Co., Ltd. (revoked), Windows RunOnce registry key persistence

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page