Storm-2561 Targets VPN Users with SEO Poisoning and Fake Clients

Storm-2561 Targets VPN Users with SEO Poisoning and Fake Clients

First seen 13 Mar 2026, 09:13 UTC Blogs.MicrosoftCsoonlineGbhackersBleepingcomputerTheregister+4 85% similarity 70.5

Article Content

Browse articles
ThreatCluster

Cybercriminal group Storm-2561 is exploiting SEO poisoning to distribute trojanized VPN clients, primarily targeting enterprise users of popular VPN solutions like Pulse Secure, Ivanti, and Cisco. The attackers manipulate search engine results to redirect users to spoofed sites that closely mimic legitimate VPN vendors, leading to the download of a malicious ZIP file containing a fake MSI installer. This installer drops a fake application and a variant of the Hyrax infostealer, which captures and exfiltrates VPN credentials and configuration data. The malware is signed with a valid certificate from Taiyuan Lihua Near Information Technology Co., Ltd., allowing it to bypass security warnings. Microsoft first detected this activity in January 2026, although the group has been active since May 2025. The campaign highlights the increasing sophistication of infostealers, which are now often paired with remote access trojans. Microsoft has provided mitigation guidance and indicators of compromise to help organizations defend against this threat.

Key Points: • Storm-2561 uses SEO poisoning to distribute fake VPN clients that steal credentials. • The malware is signed with a legitimate certificate, allowing it to evade detection. • Microsoft has issued warnings and mitigation strategies for affected organizations.

ThreatCluster AI

Timeline

2025-05-01
Storm-2561 group becomes active
2026-01-15
Microsoft detects Storm-2561 activity
2026-03-13
Microsoft issues advisory on Storm-2561 campaign

Community

Browse all →