Microsoft has warned enterprises that cybercriminal group Storm-2561 is hijacking search engine results to serve trojanized VPN clients, stealing corporate credentials, and then covering its tracks before victims suspect anything is wrong.
The group pushes spoofed websites to the top of results for queries such as “Pulse VPN download” or “Pulse Secure client,” redirecting users to digitally signed malware hosted on GitHub, Microsoft Threat Intelligence said in an advisory. “The techniques they used in this campaign highlight how threat actors continue to exploit trusted platforms and software branding to avoid user suspicion and steal sensitive information,” the advisory said.
Microsoft Defender Experts first detected the activity in mid-January 2026, though the threat actor has been active since May 2025 and is known for distributing malware through search engine optimization (SEO) poisoning and impersonating popular enterprise software vendors, the advisory said.
The campaign comes as infostealers grow more dangerous. Security researchers have noted that infostealers are increasingly paired with remote access trojans, giving attackers both stolen credentials and persistent network access from a single infection. Storm-2561 follows that pattern precisely.
Inside the attack chain
Microsoft observed fake pages impersonating Fortinet, Ivanti, Cisco, SonicWall, Sophos, Checkpoint, and WatchGuard, along with two domains — vpn-fortinet[.]com and ivanti-vpn[.]org — hosting malicious ZIP files on GitHub, the advisory said.
The malware itself arrives as a ZIP file containing a Windows Installer package. When a user launches the downloaded installer, it drops a fake Pulse Secure application into a directory that closely mimics a legitimate Pulse Secure installation path, Microsoft said.
“This installation path blends in with legitimate VPN software to appear trustworthy and avoid raising user suspicion,” the advisory noted. The installer side-loads two malicious DLL files alongside the fake application. One acts as an in-memory loader. The other, inspector.dll, is a variant of the Hyrax infostealer. It extracts stored VPN credentials and URI data and exfiltrates them to attacker-controlled infrastructure, the advisory added.
“The malicious ZIP files that contain fake installer files are hosted on GitHub repositories, which have since been taken down,” the advisory noted.
The delivery method closely resembles tactics seen in recent campaigns. In August 2025, researchers at Arctic Wolf uncovered GPUGate malware distributed via GitHub repositories and Google Ads, using MSI-packaged payloads and credential exfiltration in a near-identical delivery chain, suggesting threat actors are converging on a common playbook.
Signed certificates used to evade detection
The MSI file and malicious DLLs are signed with a valid digital certificate from “Taiyuan Lihua Near Information Technology Co., Ltd.,” Microsoft said. It allowed the malware to bypass Windows security warnings for unsigned code, potentially circumvent application whitelisting policies, and reduce alerts from tools focused on unsigned executables.
That certificate has since been revoked, the advisory added.
Microsoft identified several additional files signed with the same certificate, all masquerading as VPN software from different vendors.
Attackers cover their tracks after credential theft
After capturing them, the fake client displays an error message indicating installation has failed, the advisory said. It then directs the user to download the legitimate VPN client from the official vendor site. “In certain instances, opens the user’s browser to the legitimate VPN website,” Microsoft said. If the real VPN installs and works as expected, the victim has no indication of compromise.
Storm-2561 also establishes persistence through the Windows RunOnce registry key, ensuring the malware runs on every reboot, the advisory noted. The post-credential redirection strategy eliminates behavioral anomalies that might otherwise trigger a security review. SEO poisoning campaigns have long relied on misdirection to avoid leaving forensic footprints. Storm-2561 takes that further by redirecting victims to legitimate software after the theft, leaving no obvious trace of compromise.
Mitigations
Microsoft recommended organizations enforce multifactor authentication on all accounts without exception. Enterprise credentials should not be stored in browser-based password vaults secured with personal credentials. Organizations should also disable browser password syncing on managed devices through Group Policy, the advisory added.
On the endpoint side, Microsoft advised running endpoint detection and response in block mode and enabling network protection and web protection in Microsoft Defender for Endpoint. “Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware,” the advisory said.
No Responses