Storm-2561 Uses Fake Fortinet, Ivanti VPN Sites to Drop Hyrax Infostealer
Storm-2561 threat group is conducting a sophisticated SEO poisoning campaign to distribute the Hyrax infostealer through fake Fortinet and Ivanti VPN download websites. The malware uses a legitimate digital certificate to bypass Windows security warnings and masquerades as trusted VPN software to steal user credentials. Once deployed, the malware collects login credentials while displaying a fake error message and redirecting users to legitimate VPN sites to avoid detection.
Summary
Storm-2561 threat group is conducting a sophisticated SEO poisoning campaign to distribute the Hyrax infostealer through fake Fortinet and Ivanti VPN download websites. The malware uses a legitimate digital certificate to bypass Windows security warnings and masquerades as trusted VPN software to steal user credentials. Once deployed, the malware collects login credentials while displaying a fake error message and redirecting users to legitimate VPN sites to avoid detection.
Full text
Security MalwareStorm-2561 Uses Fake Fortinet, Ivanti VPN Sites to Drop Hyrax InfostealerbyDeeba AhmedMarch 17, 20262 minute read In mid-January 2026, Microsoft Defender Experts identified a devious way that cybercriminals are tricking people into giving away their private information. A group known as Storm-2561 has been setting up fake websites that look exactly like official download pages for popular office software, specifically Virtual Private Networks (VPNs). As we know it, a VPN is a tool many of us use to stay secure online. Ironically, the attackers are using this trust against us. This group, reportedly, uses a trick called SEO poisoning, which simply means they manipulate search engine results so that when you search for terms like Pulse VPN download, their fake, malicious website appears right at the top of your search results. How the Trick Works According to Microsoft Threat Intelligence researchers, users are led to websites like vpn-fortinet.com and ivanti-vpn.org. These sites offer a download that looks legitimate but is actually a malicious ZIP file that was hosted on GitHub repositories. Further investigation revealed that these files contain a Trojan that masquerades as a trusted VPN client. Researchers noted that the software was digitally signed by a certificate from Taiyuan Lihua Near Information Technology Co., Ltd. This signature acts like a digital stamp of approval that usually tells your computer a program is safe. By using a real certificate, which has since been revoked, the hackers were able to “bypass default Windows security warnings” and make the installation look official. Fake Fortinet VPN site and the infection chain (Image credit: Microsoft) Hidden Malware and Stolen Data As per the official Microsoft security blog post, the installer places files into a folder named %CommonFiles%\Pulse Secure, which is the same location a real VPN would use. This helps the malware “blend in with legitimate VPN software to appear trustworthy” and avoid any immediate suspicion. Once the fake VPN is opened, it looks exactly like the real thing and asks for your username and password. Instead of connecting you to the internet, it uses a variant of an infostealer called Hyrax to steal your details and send them to the hackers’ own servers. To keep the scam hidden, the program shows a fake error message and then helpfully points you to the real website to download the actual software. Because the real VPN eventually works, most people never realise they were hacked. To protect your data, it is best practice to download software directly from official company websites rather than clicking the first link you see in a search. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityMalwareMicrosoftScamSEO PoisoningVPN Leave a Reply Cancel reply View Comments (0) Related Posts Read More Hacking News Cyber Attacks Data Breaches Security AT&T Data Breach: Hackers Steal Call and Text Records for “Nearly All” Customers AT&T confirms a data breach exposing call and text records for “Nearly All” customers from May 2022 to… byWaqas Security New Linux kernel memory corruption bug causes full system compromise Researchers dubbed it a "straightforward Linux kernel locking bug" that they exploited against Debian Buster's 4.19.0.13-amd64 kernel. byWaqas Read More Security Artificial Intelligence Hacker Added Prompt to Amazon Q to Erase Files and Cloud Data A hacker injected a malicious prompt into Amazon Q via GitHub, aiming to delete user files and wipe AWS data, exposing a major security flaw. byDeeba Ahmed Security Hacking News Malware Bad Rabbit ransomware spreading like wildfire but there is a way out Ransomware attacks are on an all-time rise lately. This particular news is about another widespread ransomware campaign that… byWaqas
Indicators of Compromise
- domain — vpn-fortinet.com
- domain — ivanti-vpn.org
- malware — Hyrax