Microsoft threat intelligence has identified a targeted campaign by the group Storm-2561 that abuses search engines and fake corporate VPN download pages to distribute the Hyrax infostealer. The operation specifically targets organizations relying on remote access solutions from Ivanti, Cisco, Fortinet and other major VPN and firewall vendors, putting corporate networks at risk of covert compromise.
SEO poisoning: fake VPN download sites in top search results
A defining characteristic of this campaign is the use of SEO poisoning – the manipulation of search engine optimization techniques to make malicious websites rank highly for popular queries. Storm-2561 operators register domains that closely resemble legitimate VPN vendor sites, then optimize them to appear for search terms such as “Pulse VPN download” or “Pulse Secure client”.
When users search for VPN clients, they may be directed not to the official vendor domain, but to a carefully cloned page. The branding, layout, logos and copy on these phishing sites are designed to closely mirror genuine portals, reducing suspicion and increasing the likelihood that administrators and employees will download the malicious installer.
Impersonated VPN and firewall vendors: Ivanti, Cisco, Fortinet and more
Analysis of Storm-2561’s infrastructure shows that the group does not focus on a single product. Instead, it registers multiple deceptive domains imitating well-known security providers, including Sophos, SonicWall, Ivanti, Check Point, Cisco, WatchGuard and other vendors of corporate VPN and firewall solutions.
This multi-vendor impersonation strategy enables the attackers to reach a broader pool of targets: IT administrators, helpdesk staff and end users who search for VPN clients or updates on their own, rather than following internal software distribution processes.
Attack chain: trojanized VPN installer delivering Hyrax infostealer
The fake VPN websites redirect victims to a GitHub repository (now removed) hosting a ZIP archive containing a malicious .msi installer. Once executed, this installer initiates a multi-stage infection sequence that blends in with legitimate software behavior.
The installer performs several key actions:
- Creates a file named Pulse.exe in the
%CommonFiles%\Pulse Securedirectory, mimicking a legitimate Pulse Secure VPN client. - Deploys a malicious loader component dwmapi.dll, likely relying on DLL side-loading to bypass security controls.
- Drops and runs a modified variant of the Hyrax infostealer, stored as
inspector.dll.
The fake VPN client then presents a convincing login interface and prompts the user for credentials. Entered usernames and passwords are silently intercepted and exfiltrated to attacker-controlled servers. In addition, the malware extracts VPN connection configuration data from the connectionsstore.dat file used by the legitimate Pulse Secure client, giving Storm-2561 detailed knowledge of the victim’s remote access setup.
Abuse of revoked code-signing certificates
Microsoft reports that components in this attack chain were signed with a real, but revoked digital certificate belonging to Taiyuan Lihua Near Information Technology. While the certificate is no longer trusted by modern validation mechanisms, some systems and users may still treat signed binaries as inherently more trustworthy, making detection and manual scrutiny less likely.
Social engineering and stealth: why victims rarely notice
After stealing credentials and VPN configuration data, the malicious installer displays what appears to be a routine installation error. It then automatically redirects the victim to the legitimate vendor site, where the user can download a genuine VPN client.
From the victim’s perspective, the incident looks like a minor technical glitch: the first installation “failed”, the second one from the official website “succeeded”. The user continues to operate normally, unaware that their VPN login and configuration are already in the attackers’ hands.
Industry reports, including the annual Verizon Data Breach Investigations Report (DBIR), consistently highlight compromised credentials as one of the primary enablers of successful breaches. The Storm-2561 campaign underscores the trend towards targeting VPN and system accounts, as they often provide direct, high-privilege access into corporate environments.
Impact for organizations: from VPN theft to full network compromise
Once attackers obtain working VPN credentials and tunnel configurations, they can authenticate as legitimate users and bypass perimeter defenses. This enables a range of follow-on activities:
- Establishing remote access into internal networks using stolen VPN profiles.
- Conducting lateral movement to additional systems and accounts.
- Exfiltrating sensitive data or deploying ransomware and other payloads.
Because access occurs through standard VPN channels with valid credentials, anomalous activity can be difficult to distinguish from normal remote work patterns, especially in organizations lacking strong behavioral monitoring and multi-factor authentication.
Microsoft’s security recommendations against fake VPN and SEO poisoning attacks
To mitigate the risks posed by Storm-2561 and similar campaigns, Microsoft advises organizations to adopt a layered defense strategy that combines technical controls and user awareness:
- Enable cloud-delivered protection in Microsoft Defender to receive up-to-date signatures, heuristics and indicators of compromise (IOCs) related to new malware families and campaigns.
- Run Endpoint Detection and Response (EDR) in block mode so that suspicious activity is not only detected but actively prevented, stopping malicious processes and quarantining files.
- Mandate multi-factor authentication (MFA) for VPN access and all critical systems, significantly reducing the value of stolen passwords alone.
- Use browsers and security tools with reputation-based protection (such as Microsoft SmartScreen) to warn users about untrusted URLs and downloads.
- Train users and administrators to download VPN clients and updates exclusively from official vendor domains, accessed via known bookmarks or internal portals, not from search results or third-party links.
Storm-2561’s operation demonstrates that even routine actions such as “search for VPN client download” can be weaponized through SEO poisoning and highly convincing phishing sites. Organizations should regularly review their remote access policies, centralize software distribution, strengthen authentication, and rely on modern endpoint and browser protections. Proactive detection and rapid response to these early-stage attacks can significantly reduce the likelihood of large-scale incidents within corporate networks.
