Back to threat alerts

Storm-2561: Fake VPN Client Campaign

Active since May 2025, the financially motivated cybercriminal group Storm-2561 has been utilising Search Engine Optimisation (SEO) poisoning to distribute counterfeit Virtual Private Network (VPN) clients. The campaign redirects users who are searching for legitimate enterprise VPN software to attacker-controlled websites. This leads to the deployment of digitally signed trojans that masquerade as trusted VPN clients, ultimately designed to harvest sensitive VPN credentials.

Threat alert
March 18, 2026

Storm-2561’s attack chain begins with SEO poisoning, which pushes spoofed websites to the top of search engine results for queries such as "Pulse VPN download" or "Pulse Secure client". When a user visits these malicious sites—which impersonate major vendors such as Fortinet, Ivanti, and others — they are prompted to download a ZIP file. In this recent campaign, these files were hosted on attacker-controlled GitHub repositories.

Upon execution, the embedded Microsoft Windows Installer (MSI) drops executables alongside malicious dynamic link libraries (DLLs) into a directory structure that closely mimics a legitimate installation path. The installation side-loads these malicious DLLs, launching a variant of the Hyrax infostealer. To bypass security warnings, avoid raising user suspicion, and evade detection tools, the malware is digitally signed with a now-revoked certificate belonging to "Taiyuan Lihua Near Information Technology Co., Ltd."

The counterfeit client presents a highly convincing user interface to capture login details. Once credentials are submitted, it displays a fake error message and instructs the user to download the genuine VPN software from official sources, effectively masking the compromise and evading further suspicion. Stolen data is then exfiltrated to attacker-controlled command-and-control (C2) infrastructure, whilst system persistence is established via the Windows RunOnce registry key.

Mitigations:

  • Enable Cloud-Delivered Protection: Turn on cloud-delivered protection in your antivirus product to leverage cloud-based machine learning that can block rapidly evolving attacker tools and unknown malware variants.
  • Utilise EDR in Block Mode: Run Endpoint Detection and Response (EDR) in block mode. This ensures that malicious artefacts are automatically remediated upon detection post-breach, even if the primary antivirus is in passive mode or fails to detect the initial threat.
  • Activate Network and Web Protection: Enable network and web protection features on all endpoints to prevent users from navigating to malicious domains and to block the malware from communicating with known C2 infrastructure.

Recommendations:

  • Web Browser Security: Encourage staff to utilise web browsers that support robust security and filtering features to identify and block malicious phishing sites, scam websites, and malware-hosting domains.
  • Enforce Strict MFA: Implement and enforce Multi-Factor Authentication (MFA) across all accounts. Remove any user exclusions and strictly always require MFA from all devices and locations to render stolen credentials useless.
  • Credential Hygiene: Educate employees on the dangers of credential theft and remind them that enterprise or workplace credentials should never be stored in web browsers.
  • Secure Software Procurement: Instruct staff to only download enterprise software and VPN clients directly from official, verified vendor websites or managed internal corporate portals, completely avoiding reliance on search engine links for software downloads.