top of page
perceptive_background_267k.jpg

Storm-2561 Spreads Trojan VPN Clients via SEO Poisoning to Steal Credentials

Published:

13 maart 2026 om 13:38:00

Alert date:

13 maart 2026 om 15:01:18

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Identity & Access, Data Breach & Exfiltration

Microsoft disclosed a credential theft campaign by Storm-2561 that uses SEO poisoning techniques to distribute fake VPN clients. The campaign redirects users searching for legitimate enterprise software to malicious websites hosting trojan-infected ZIP files. The attackers deploy digitally signed trojans that masquerade as trusted VPN clients to steal user credentials. This represents an active threat targeting enterprise users through compromised search results.

Technical details

Storm-2561 uses SEO poisoning techniques to redirect users searching for legitimate enterprise VPN software to malicious ZIP files on attacker-controlled websites. The campaign deploys digitally signed trojans that masquerade as trusted VPN clients while harvesting VPN credentials. The attack involves hosting ZIP files containing MSI installer files on GitHub repositories that sideload malicious DLL files during installation. A fake VPN sign-in dialog is displayed to capture credentials, followed by an error message instructing users to download legitimate VPN client. The malware uses Windows RunOnce registry key for persistence and deploys a variant of the Hyrax information stealer. The malicious components are digitally signed by 'Taiyuan Lihua Near Information Technology Co., Ltd.'

Mitigation steps:

Implement multi-factor authentication (MFA) on all accounts, exercise caution when downloading software from websites and verify they are authentic, avoid downloading software from search engine results without verifying legitimacy

Affected products:

SonicWall VPN clients
Hanwha Vision software
Pulse Secure VPN (now Ivanti Secure Access)
Ivanti Pulse Secure VPN client

Related links:

https://www.microsoft.com/en-us/security/blog/2026/03/12/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft/
https://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign
https://thehackernews.com/2022/04/cybercriminals-using-new-malware-loader.html
https://thehackernews.com/2025/10/weekly-recap-f5-breached-linux-rootkits.html#:~:text=SEO%20Campaign%20Uses%20Fake%20Ivanti%20Installers%20to%20Steal%20Credentials
https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys

Related CVE's:

Related threat actors:

IOC's:

ivanti-vpn[.]org, Taiyuan Lihua Near Information Technology Co., Ltd. (digital signature), Hyrax information stealer variant, Windows RunOnce registry key modifications

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page