Storm-2561 VPN Fake Installers via SEO Poisoning

Introduction

Microsoft Threat Intelligence has detailed a new Storm-2561 campaign that should be on every security team’s radar. By abusing search engine rankings, fake vendor-branded websites, and even valid code-signing certificates, the attackers are targeting users looking for trusted enterprise VPN software and stealing credentials before many organizations realize anything went wrong.

What’s new

Storm-2561 is distributing trojanized VPN installers through a convincing attack chain:

• Users search for legitimate VPN software such as Pulse Secure or Fortinet clients.
• Malicious, SEO-poisoned sites appear in search results and imitate trusted vendor download pages.
• Victims are redirected to ZIP files hosted on attacker-controlled GitHub repositories.
• The ZIP contains a malicious MSI installer and DLLs that mimic a real VPN deployment.
• The installer drops Pulse.exe and side-loads malicious DLLs including dwmapi.dll and inspector.dll.
• inspector.dll is identified as a variant of the Hyrax infostealer, which extracts VPN credentials and configuration data.

Microsoft also noted that the malware was signed with a legitimate certificate from “Taiyuan Lihua Near Information Technology Co., Ltd.” That certificate has since been revoked, but the use of valid signing reduced user suspicion and may have helped evade some defenses.

Attack behavior to know

The fake VPN client presents a realistic sign-in interface to capture credentials directly from the user. After submission:

• A fake installation or login failure is shown
• The user is prompted to download the real VPN client
• In some cases, the browser is opened to the legitimate vendor site

This post-compromise redirection is especially effective because users may later install the real software successfully and never suspect their credentials were already stolen.

The campaign also establishes persistence through the Windows RunOnce registry key and exfiltrates stolen data to attacker-controlled infrastructure.

Impact on IT administrators

For IT and security teams, this campaign highlights a growing risk: users no longer need to open phishing email attachments to be compromised. Simply searching for business software can lead to credential theft.

Organizations with remote access dependencies should be particularly concerned because stolen VPN credentials can enable unauthorized access, lateral movement, and follow-on attacks. The use of spoofed software branding and signed malware also increases the chance that end users will trust the installer.

Recommended actions

Administrators should take the following steps:

• Ensure Microsoft Defender Antivirus cloud-delivered protection is enabled
• Run EDR in block mode where supported
• Hunt for suspicious VPN-related installers, DLL side-loading, and RunOnce persistence
• Review outbound connections to known indicators and suspicious GitHub-hosted downloads
• Educate users to download VPN software only from approved corporate portals or vendor-verified sources
• Reset credentials and investigate devices if users report failed VPN installs followed by successful reinstallation

This is a strong reminder that search results can be part of the attack surface, and software trust signals alone are no longer enough.