Microsoft Defender Experts identified a credential theft campaign in mid-January 2026 that uses fake VPN clients distributed through SEO poisoning, attributed to the cybercriminal threat actor Storm-2561. Active since May 2025, Storm-2561 is known for distributing malware through SEO poisoning and impersonating popular software vendors.
The campaign redirects users searching for legitimate enterprise software to malicious ZIP files on attacker-controlled websites to deploy digitally signed trojans that masquerade as trusted VPN clients while harvesting VPN credentials. The financially motivated group impersonates Fortinet, Ivanti, Cisco, and other vendors to steal corporate credentials. When users search for queries such as 'Pulse VPN download' or 'Pulse Secure client', malicious websites are pushed to the top of results, with Microsoft observing spoofing at domains vpn-fortinet.com and ivanti-vpn.org.
The GitHub repository hosts a ZIP file containing a Microsoft Windows Installer (MSI) installer file that mimics legitimate VPN software and side-loads malicious dynamic link library (DLL) files during installation. One DLL acts as an in-memory loader, while the other, inspector.dll, is a variant of the Hyrax infostealer that extracts stored VPN credentials and URI data and exfiltrates them to attacker-controlled infrastructure.
A fake, yet convincing, VPN sign-in dialogue is displayed to users to capture their credentials; once information is entered, victims are displayed an error message and instructed to download the legitimate VPN client. In some cases, they are redirected to the legitimate VPN website. If users successfully install and use legitimate VPN software afterward and the VPN connection works as expected, there are no indications of compromise to the end user; users are likely to attribute the initial installation failure to technical issues, not malware.
The malicious components are digitally signed by "Taiyuan Lihua Near Information Technology Co., Ltd." The trojans are digitally signed by a legitimate certificate that has since been revoked. The malicious ZIP files containing fake installer files are hosted on GitHub repositories, which have since been taken down.
Security researchers have noted that infostealers are increasingly paired with remote access trojans, giving attackers both stolen credentials and persistent network access from a single infection; Storm-2561 follows that pattern precisely.
The primary security recommendation is to enforce multi-factor authentication (MFA) on all accounts, ensuring users are removed from MFA exclusions and requiring MFA from all devices everywhere at all times. Organisations should remind employees not to store workplace credentials in browsers or password vaults secured with personal credentials. Microsoft has taken down the attacker-controlled GitHub repositories and revoked the legitimate certificate to neutralise the operation.
Organisations using Fortinet, Ivanti, Cisco, SonicWall, Sophos, Checkpoint, and WatchGuard VPN products should review their security controls and alert users to the risks of downloading software from untrusted sources, even when search results appear legitimate. The campaign underscores the critical importance of verifying software sources directly with vendors and implementing additional security layers to intercept credential theft attempts.