Storm-2561’s Credential Harvesting via Fake VPN Installers

In mid-January 2026, Microsoft identified a campaign by Storm-2561 (active since May 2025) targeting users seeking legitimate enterprise VPN software. The actor uses SEO poisoning to drive traffic to spoofed websites that distribute a variant of the Hyrax infostealer. The campaign is notable for its use of revoked digital certificates and a sophisticated redirection strategy to avoid post-infection detection.

Severity: High

Threat Actor

• Actor Name: Storm-2561.
• Motivation: Financial.
• Operational History: Active since May 2025; known for SEO poisoning and vendor impersonation.
• Targeting: Users searching for enterprise software, specifically VPN clients.

Technical Analysis: The Attack Chain

The “search-to-stolen-credentials” chain follows these primary stages:

1. Initial Access: Users searching for terms like “Pulse VPN download” are directed via poisoned search results to actor-controlled domains such as vpn-fortinet[.]com or ivanti-vpn[.]org.
2. Delivery: Clicking “Download” triggers a ZIP file download hosted on GitHub (e.g., VPN-CLIENT.zip).
3. Execution: The ZIP contains a malicious MSI that side-loads two DLLs – dwmapi.dll and inspector.dll, into a legitimate-looking directory %CommonFiles%\Pulse Secure.
4. Payload: dwmapi.dll acts as a loader for Hyrax, an infostealer that harvests VPN configuration data and user credentials.
5. Persistence: The installer adds pulse.exe to the Windows RunOnce registry key to ensure execution upon device reboot.
6. Exfiltration: Data is transmitted to C2 infrastructure (194.76.226[.]93:8080) via HTTP POST requests.

Key Evasion & Legitimacy Tactics

• Code Signing: Malicious binaries were signed by “Taiyuan Lihua Near Information Technology Co., Ltd.” to bypass security warnings.
• Path Masquerading: Malware is installed in directories mirroring real Pulse Secure installations to blend in with trusted software.
• Social Engineering Redirection: After stealing credentials, the app displays a fake error message and redirects the user to the official VPN website to download the real client. If the real client then works, the user often assumes the initial failure was a minor technical glitch.

Recommendations

1. Ensure employees download VPN clients only from official vendor websites or internal software portals.
2. Block downloads of software installers from untrusted sources such as public GitHub repositories or unknown domains.
3. Implement application allowlisting so only approved software can run.
4. Enforce Multi-Factor Authentication (MFA) for all VPN and enterprise accounts.
5. Use conditional access policies to restrict VPN logins from unknown devices or locations.
6. Monitor for VPN authentication attempts from unusual geographies or impossible travel patterns.
7. Use browser protections such as Microsoft SmartScreen or equivalent safe browsing tools.
8. Look for unexpected DLL loading within VPN software folders. Monitor for suspicious files such as Pulse.exe, dwmapi.dll, or inspector.dll appearing in %CommonFiles%\Pulse Secure or similar enterprise VPN software directories.
9. Monitor the Windows RunOnce registry key for unauthorized additions, as this is a primary persistence mechanism for the pulse.exe malware.
10. Disable browser password storage for corporate credentials. Prevent syncing enterprise credentials to personal accounts. Use enterprise password managers instead of browser storage.
11. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/f120925a350a7875dd8a3ba2b406881dbe29f1b0afc88fdd21a6d4387f1361f9/iocs

IOCs:

Source:

• https://www.microsoft.com/en-us/security/blog/2026/03/12/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.