Threat Actor Targeting VPN Users in New Credential Theft Campaign
Storm-2561 is conducting a credential theft campaign targeting VPN users through SEO poisoning and fake VPN clients signed with a legitimate certificate. The attack distributes trojans impersonating Pulse Secure and other VPN software via malicious GitHub repositories, stealing login credentials and VPN information via the Hyrax information stealer.
Summary
Storm-2561 is conducting a credential theft campaign targeting VPN users through SEO poisoning and fake VPN clients signed with a legitimate certificate. The attack distributes trojans impersonating Pulse Secure and other VPN software via malicious GitHub repositories, stealing login credentials and VPN information via the Hyrax information stealer.
Full text
A threat actor tracked as Storm-2561 has been targeting VPN users in a new credential theft campaign, Microsoft reports. Active since at least May 2025, Storm-2561 is known for using search engine optimization (SEO) poisoning for malware distribution and for impersonating popular software vendors to attract victims to malicious websites. The newly observed campaign started in mid-January, aimed at luring individuals looking for VPN software into downloading trojans that have been signed with a legitimate digital certificate to evade detection. Not only did the threat actor abuse users’ trust in search engine rankings, but they also hosted the malicious payloads on GitHub repositories, further increasing the chances of successful infections. In the repositories associated with the campaign, which have been removed, Storm-2561 hosted a ZIP file containing an MSI installer file posing as the legitimate VPN software Pulse Secure. Using SEO poisoning, the threat actor ensured that victims searching for ‘Pulse VPN download’ or ‘Pulse Secure client’ would receive malicious results at the top of the search page. Other brands were also impersonated as part of the campaign, Microsoft says.Advertisement. Scroll to continue reading. Users clicking on a poisoned result were taken to a malicious download website, but the payload was served as the ZIP archive fetched from GitHub. During installation, the MSI inside the ZIP file sideloaded a DLL to drop and launch a variant of the Hyrax information stealer that would collect URI and VPN credentials and exfiltrate them to an attacker-controlled command-and-control (C&C) server. Both the MSI and the DLL were signed with a valid certificate from Taiyuan Lihua Near Information Technology Co., Ltd., which has since been revoked. Other files signed with the same certificate were also identified, all posing as VPN applications. The fake VPN client installed in this attack mimicked the legitimate application, displaying a GUI that prompted the victim to introduce their credentials. The login information was immediately sent to the attacker’s C&C server. The MSI installed was also observed establishing persistence through the Windows RunOnce registry key by adding the fake VPN application to startup. After collecting the victims’ credentials, the fake software displayed an installation error message, providing instructions on how to download the legitimate Pulse VPN client, and, in certain instances, opening the browser to the legitimate VPN website. “If users successfully install and use legitimate VPN software afterward, and the VPN connection works as expected, there are no indications of compromise to the end user. Users are likely to attribute the initial installation failure to technical issues, not malware,” Microsoft notes. Related: Cloned AI Tool Sites Distribute Malware in ‘InstallFix’ Campaign Related: ‘SolyxImmortal’ Information Stealer Emerges Related: Infostealer Malware Delivered in EmEditor Supply Chain Attack Related: SonicWall SSL VPN Accounts in Attacker Crosshairs Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Bold Security Emerges From Stealth With $40 Million in FundingGoogle Paid Out $17 Million in Bug Bounty Rewards in 2025Onyx Security Launches With $40 Million in FundingChrome 146 Update Patches Two Exploited Zero-DaysAlly WordPress Plugin Flaw Exposes Over 200,000 Websites to AttacksSplunk, Zoom Patch Severe VulnerabilitiesCisco Patches High-Severity IOS XR VulnerabilitiesCritical N8n Vulnerabilities Allowed Server Takeover Latest News Oracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential ImpactSecurity Firm Executive Targeted in Sophisticated Phishing AttackChina-Linked Hackers Hit Asian Militaries in Patient Espionage OperationForceMemo: Python Repositories Compromised in GlassWorm AftermathHacking Attempt Reported at Poland’s Nuclear Research CenterLoblaw Data Breach Impacts Customer InformationCritical HPE AOS-CX Vulnerability Allows Admin Password ResetsStarbucks Data Breach Impacts Employees Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the MoveThe US Senate has confirmed Army Lt. Gen. Joshua Rudd to lead NSA and CYBERCOM.Business software company Rippling has appointed Adrian Ludwig as CSO.Orca Security has named Rachel Nislick as Chief Marketing Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- malware — Hyrax
- malware — Storm-2561