Csoonline
Storm-2561 Targets VPN Users with SEO Poisoning and Fake Clients
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Cybercriminal group Storm-2561 is exploiting SEO poisoning to distribute trojanized VPN clients, primarily targeting enterprise users of popular VPN solutions like Pulse Secure, Ivanti, and Cisco. The attackers manipulate search engine results to redirect users to spoofed sites that closely mimic legitimate VPN vendors, leading to the download of a malicious ZIP file containing a fake MSI installer. This installer drops a fake application and a variant of the Hyrax infostealer, which captures and exfiltrates VPN credentials and configuration data. The malware is signed with a valid certificate from Taiyuan Lihua Near Information Technology Co., Ltd., allowing it to bypass security warnings. Microsoft first detected this activity in January 2026, although the group has been active since May 2025. The campaign highlights the increasing sophistication of infostealers, which are now often paired with remote access trojans. Microsoft has provided mitigation guidance and indicators of compromise to help organizations defend against this threat.
Key Points: • Storm-2561 uses SEO poisoning to distribute fake VPN clients that steal credentials. • The malware is signed with a legitimate certificate, allowing it to evade detection. • Microsoft has issued warnings and mitigation strategies for affected organizations.